Skip to content

Instantly share code, notes, and snippets.

@lvnilesh

lvnilesh/sip.md

Last active April 24, 2026 04:45
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save lvnilesh/f6b47b9589b970e4f9111e7b8476452d to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save lvnilesh/f6b47b9589b970e4f9111e7b8476452d to your computer and use it in GitHub Desktop.
Download ZIP
csrutil imac multiboot system integrity protection
Raw
sip.md 
sudo csrutil status
Password:
System Integrity Protection status: unknown (Custom Configuration).

Configuration:
	Apple Internal: disabled
	Kext Signing: disabled
	Filesystem Protections: disabled
	Debugging Restrictions: disabled
	DTrace Restrictions: disabled
	NVRAM Protections: disabled
	BaseSystem Verification: enabled

This is an unsupported configuration, likely to break in the future and leave your machine in an unknown state.

Terminal Method

To enable this exact configuration, you would use the csrutil enable command with specific flags to disable individual protections while leaving others active.

From Recovery Mode Terminal, the command is:

csrutil enable --without kext --without fs --without debug --without dtrace --without nvram

Why these flags? In the csrutil status output, "disabled" means the protection is turned off (allowing the action), and "enabled" means the protection is active (restricting the action).

--without kext: Disables Kext Signing.
--without fs: Disables Filesystem Protections.
--without debug: Disables Debugging Restrictions.
--without dtrace: Disables DTrace Restrictions.
--without nvram: Disables NVRAM Protections.

No flag for BaseSystem: Since you didn't include --without basesystem, it remains enabled.

Alternative Method (Hex Mask)

On some versions of macOS, you can achieve this by setting a specific bitmask directly, though it is less common:

csrutil enable --mask 0x6F

Important: You must restart your Mac for these changes to take effect.

# Calculation to determine the hex mask for the user's current configuration based on source 1.2.3/1.1.4
# Desired state (from user's output):
# Apple Internal: disabled (0x10) -> disabled
# Kext Signing: disabled (0x01/0x200) -> enabled (meaning restricted, but user output says 'disabled' meaning restriction is OFF)
# Filesystem Protections: disabled (0x02) -> enabled (meaning restriction is OFF)
# Debugging Restrictions: disabled (0x04/0x08) -> enabled (meaning restriction is OFF)
# DTrace Restrictions: disabled (0x20) -> enabled (meaning restriction is OFF)
# NVRAM Protections: disabled (0x40) -> enabled (meaning restriction is OFF)
# BaseSystem Verification: enabled (0x100) -> disabled (meaning verification is ON)

# If 'disabled' in the status means the protection is OFF (allowed), we set those bits.
# CSR_ALLOW_UNTRUSTED_KEXTS = 0x1
# CSR_ALLOW_UNRESTRICTED_FS = 0x2
# CSR_ALLOW_TASK_FOR_PID = 0x4
# CSR_ALLOW_KERNEL_DEBUGGER = 0x8
# CSR_ALLOW_APPLE_INTERNAL = 0x10 (User says 'disabled', so 0x0)
# CSR_ALLOW_UNRESTRICTED_DTRACE = 0x20
# CSR_ALLOW_UNRESTRICTED_NVRAM = 0x40
# CSR_ALLOW_ANY_RECOVERY_OS = 0x100 (User says 'enabled', so 0x0)

mask = 0x01 | 0x02 | 0x04 | 0x08 | 0x20 | 0x40
print(f"Hex mask: {hex(mask)}")
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment