csrutil should allow re-enabling of SIP from booted OS
| Originator: | nmcspadden | ||
| Number: | rdar://29403930 | Date Originated: | 11/28/16 |
| Status: | Behaves correctly | Resolved: | 12/1/16 |
| Product: | macOS + SDK | Product Version: | 10.12.1 |
| Classification: | Reproducible: | Always |
Summary: csrutil does not have an option to reset the SIP status back to "All On". If you are already booted, there's absolutely no automated way to re-enable SIP on a device, or even at all without NetBoot, which doesn't work with 802.1x. csrutil should allow you to re-enable (only) SIP despite being logged in. It would provide enterprise a way to guarantee SIP gets enabled even if someone disables it. Steps to Reproduce: 1. Disable SIP from Recovery Partition. 2. Restart and log into mac OS 10.12 as normal. 3. `sudo csrutil enable` Expected Results: SIP should be re-enabled on next reboot. Actual Results: `csrutil: failed to modify system integrity configuration. This tool needs to be executed from the Recovery OS.` Version: 10.12.1 16B2555 Notes: Configuration: This occurs in every 10.11 and 10.12 install with SIP.
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!
Apple Developer Relations 01-Dec-2016 04:37 PM
Please know that our engineering team has determined that this issue behaves as intended based on the information provided.
This is an expected result, users are only suppose to change the status of SIP on recovery mode.
Please refer to this website https://developer.apple.com/library/content/documentation/Security/Conceptual/System_Integrity_Protection_Guide/ConfiguringSystemIntegrityProtection/ConfiguringSystemIntegrityProtection.html
And we have mentioned it there: “To enable or disable System Integrity Protection, you must boot to Recovery OS”