Hey there Techies! I’ve got a super interesting topic Manage System Integrity Protection for macOS, to discuss with you all this week. Let’s talk about more in details on this topic. System Integrity Protection (SIP) is an important security feature to understand and implement. We will also check out the advantages it brings and how it impacts end-user devices in compliance policies. So let’s get started!
In case you missed it, we’d like to draw your attention to check out our previous article on Configure New Managed Settings in macOS Catalogue using Intune 2309 release or later. The article covers the recently added macOS settings, the configuration of MS Defender cloud block, and EDR (Endpoint Detection Response) settings that are now available on Intune Service release 2309 or later versions. We highly recommend going through this article if you haven’t.
If you enjoy reading my articles on managing macOS devices with Microsoft Intune, you might also find my related interesting posts here. We’ve recently published a video on downloading and using macOS Sonoma and getting familiar with its latest features that can boost productivity for end-users. Check out the video below and let us know your feedback in the comments section.
Today’s article will focus solely on the key element of compliance settings: System Integrity Protection (SIP) under the macOS compliance policy category. We will discuss how SIP helps to secure data and resources in today’s world.
In my previous posts, I wrote an article on how to Configure macOS Compliance Policy in Intune for macOS Devices. The article covers topics such as what compliance policy is in Intune, why it is necessary to configure it, and how to configure it by providing sample policy steps.
What is SIP?
As discussed earlier, SIP stands for System Integrity Protection, a security feature that helps keep Macs safe from harmful software. It limits what the root user can do on protected parts of the operating system, which stops malicious software from changing important files and folders.
Before introducing System Integrity Protection on macOS Yosemite, on earlier macOS versions, the root user had full access to all system folders and apps in previous macOS versions. So any software with root-level access was able to change or delete system files and apps. This level of access was given once the user entered administrative privileges to install any software.
Now with the help of the System Integrity Protection feature enabled on devices, the root user’s actions are limited, which makes it harder for harmful software to attack organisation-managed Mac devices.
As SIP feature restricts access to certain parts of the system. Protected parts include the below locations in the system:
- /System
- /usr
- /bin
- /sbin
- /var
- and pre-installed apps with macOS
And Third-party apps can still write to the below paths and apps,
- /Applications
- /Library
- /usr/local
System Integrity Protection restricts modifications to certain system parts, which can only be modified by signed Apple processes. App Store apps are, by default, compatible. However, Other third-party software may be disabled when upgrading to OS X El Capitan or later.
Enabling SIP on macOS Devices Really Worth?
SIP is a very useful security feature that has proven to be very effective in preventing malware attacks on Mac devices. Although there are some issues associated with it, such as failure to install legitimate apps or post-installation problems, Apple has been able to reduce these issues through major OS upgrades over the years.
Despite these occasional problems, SIP provides an added layer of security that makes it more difficult for malware to take over Macs. As a result, end-users are able to enjoy a safer computing experience while administrators have less to worry about.
How to check SIP Status on Mac?
It is quite easy to check whether SIP is enabled or disabled in the macOS device as an end-user, there are multiple ways to check it. We’ll go over all of the methods providing the most convenient option for you.
As an end-user, Check the SIP status on the System information page.
- Launch Spotlight ( Press Command + Spacebar) and type System Information to launch.
- Otherwise, navigate to System Settings > General > About > System Report.
Under Software Category, Check System Integrity Protection status.
As an end-user, Check the SIP status on the Terminal app.
- Launch Spotlight ( Press Command + Spacebar) and type Terminal to launch.
- After launching, enter the command: csrutil status
- Hit the return key to show the value.
Manage System Integrity Protection for macOS in Intune
As an Admin, check the device SIP status on the Intune Portal.
- Sign in to the Microsoft Intune admin center https://intune.microsoft.com/.
- On the left sidebar, select Devices > macOS > Compliance Policies.
- Check for the existing macOS compliance policy, and click on it to check the status.
Click on Per-Setting Status to check the success or failure device list according to the compliance setting configured by Admin.
Select Values for Compliance setting Require system integrity protection and click on any of the below categories to get device details.
- Compliant
- Non-Compliant
- Pending
- Error
- Not-Applicable
- Other
Here we can observe the device as Compliant with all the configured mandatory compliance policies.
IT Support executive with Intune Reader access, can check the device’s SIP status under the monitoring category.
- Sign in to the Microsoft Intune admin center https://intune.microsoft.com/.
- On the left sidebar, select Devices > Monitor
- Under Compliance, select Setting Compliance.
- Search for the setting Require system integrity protection and click on it to get device details that are compliant or enabled.
Here we can observe the device showing as compliant.
In the above scenario, our organization already has a compliance policy that mandates enabling the System Integration protection security feature. As a result, any device that complies with the policy will be marked as compliant and be able to access company resources.
On the other hand, any device that has this feature disabled will be marked as non-compliant and will not allowed to access the organization’s resources, making the environment secure from malware or personal non-compliant devices.
- Should you upgrade to Mac OS Ventura v13 managed using Intune
- New System Settings in macOS Ventura v13 and Intune Software Update Configs
Edit System Integrity Protection in macOS using Intune
To understand how to create a compliance policy, check out my previous article Configure macOS Compliance Policy in Intune for macOS Devices. To enable the devices with or without SIP Feature enabled, follow the steps mentioned below.
- Sign in to the Microsoft Intune admin center https://intune.microsoft.com/.
- On the left sidebar, select Devices > macOS > Compliance Policies.
- Check for the existing compliance policy, and click on it.
- Click on Properties > Under Compliance settings, click on Edit.
- Under the Device Health category, change the value for Require system integrity protection from Required or Not Configured.
- Click on Review+Save.
Here’s how you can export Intune Device Compliance policies from the Intune portal. You have two options to navigate to the compliance policies node either you can navigate to the Devices node or Endpoint Security, Export Intune Device Compliance Policies.
How to enable/disable SIP in macOS?
We have understood till now, what is SIP feature in macOS is and how it helps in securing the device data from any malware, lastly, let us understand how to enable or disable the System Integration Protection (SIP) feature in any macOS device.
Enabling or disabling System Integrity Protection (SIP) on a Mac is not an easy process that can be performed after user login. Instead, it needs to be set up in recovery mode with the help of the NVRAM set, which controls the SIP system.
Please note that SIP is controlled through the Mac’s NVRAM, so enabling or disabling it will affect all versions of the macOS installed on the Mac. SIP is a global setting that impacts all systems installed on the Mac device. Let us check the steps to follow to enable/disable SIP on macOS.
Disable System Integrity Protection in macOS
To disable the SIP feature in macOS, follow the steps mentioned below.
- Go to Recovery mode.
- Launch Terminal from Utilities.
- Run command
csrutil disable - Restart mac.
Enable System Integrity Protection in macOS
To enable the SIP feature in macOS, follow the steps mentioned below.
- Go to Recovery mode.
- Launch Terminal from Utilities.
- Run command
csrutil enable - Restart mac.
After enabling/ disabling the SIP feature, please check by following the steps mentioned above on How to check the SIP Status on Mac.
macOS Device Use Case in Organisations
At the end of the discussion on whether the SIP feature being enabled is helpful or not, it’s important to consider the changes in the device market over the past few decades. Windows devices used to dominate the market, being 100% organization-managed devices and managed under MDM tools like MECM and Intune.
However, Apple has recently focused on bringing more security to its MacBook devices and making them more affordable for everyone. This has resulted in a shift away from Windows devices. Apple’s MacBook devices are equipped with security features such as Gatekeeper, System Integrity Protection, and read-only system volumes, making them more trustworthy and secure than Windows devices.
When it comes to the use cases of the MacBook, there are two categories of users in organizations: Executives and VIPs, and Developers and Content Creators such as designers and video editors.
Executives and VIPs are priority users, and expanding their macOS environment is important. However, they may face IT issues while travelling and require quick solutions. Changes to their WiFi settings could require administrative privileges, disrupting productivity and access.
On the other hand, developers and content creators are users with technical backgrounds. They require flexibility and are known for their variability. They constantly run new code, install and uninstall applications, use command line tools, leverage virtualization platforms like Docker, and rely on ‘sudo’ to perform privileged device operations.
If this type of user operates with standard privileges, the IT Service Desk must frequently provide administrative privileges, necessitating one or more full-time staff members.
Conclusion
In conclusion, I would close the article by mentioning that after understanding the use cases and advantages of System Integration Protection on macOS, Organizations should make it mandatory to enable the feature while taking into consideration of few 3rd party apps that are not yet eligible with the SIP feature. These types of policies will secure network activity on user devices.
Author
Snehasis Pani is currently working as a JAMF Admin. He loves to help the community by sharing his knowledge on Apple Mac Devices Support. He is an M.Tech graduate in System Engineering. Do check out my profile on Twitter & Linkedin.