What You Need to Know About System Integrity Protection (SIP) on macOS

Updated by CleverFiles Team on August 27, 2025

System Integrity Protection (SIP) is a kernel‑level security technology that locks down critical areas of macOS (for example, /System, /usr, /bin, /sbin, /var and Apple‑preinstalled apps). It’s on by default and restricts even the root user. You can check it with csrutil status and change it only from macOS Recovery. Always re‑enable SIP when you’re done with low‑level tasks like data recovery.

What SIP Is (and Why Apple Enforces It)

SIP helps prevent malware and misconfigured tools from modifying protected files, directories, and system processes—even with root privileges. It allows changes only by Apple‑signed processes with special entitlements (such as macOS installers and software updates). Apple introduced SIP in OS X 10.11 El Capitan and it remains foundational in modern macOS releases. Protected paths include /System, /usr (but not /usr/local), /bin, /sbin, /var, and apps preinstalled by macOS; writable locations for third‑party software include /Applications, /Library, and /usr/local.

Beginning with macOS 10.15 Catalina and evolving in macOS 11 Big Sur and later, SIP works alongside the Signed System Volume (SSV), which cryptographically seals the system volume. This adds runtime integrity checks so altered system files won’t load without breaking the seal (more on SSV below).

What SIP Protects (at a Glance)

Area / capability	What SIP does
System directories	Protects core system paths from modification: /System, /usr (except /usr/local), /bin, /sbin, /var, and other files on the read‑only signed system volume.
Apple‑preinstalled apps	Prevents tampering with Apple‑installed apps (e.g., Safari, Mail). Only Apple‑signed updates with the proper entitlements can modify them.
Low‑level operations	Restricts privileged actions such as loading unsigned kernel extensions, certain dtrace/debug operations, direct NVRAM writes, and other system‑level changes unless adjusted from macOS Recovery.
Startup selection & security policy	Blocks software from programmatically changing the startup disk and requires Recovery to alter security settings (e.g., Apple silicon Full/Reduced Security or Intel T2 Startup Security Utility options).

Download Disk Drill data recovery app Download now

Disk Drill & SIP (What You Actually Need)

Do I have to disable SIP to recover my files?

Often no. For most cases—especially external disks—all you need is to give Disk Drill Full Disk Access in System Settings ▸ Privacy & Security ▸ Full Disk Access.

When might I need SIP changes?

For startup‑disk recovery on macOS 10.13+ (High Sierra and later), Disk Drill needs raw, read‑only access to the volume. Historically, this could require temporarily relaxing SIP’s filesystem protection (or working from a bootable environment). If that’s your path, use macOS Recovery to change SIP only for the time you’re performing file recovery, then turn SIP back on immediately after.

Best‑practice alternatives if you prefer not to touch SIP:

Target Disk Mode: Connect the affected Mac to another Mac and scan the troubled drive from the healthy machine (for old intel machines).
Run Disk Drill in macOS Recovery Mode: Start your Mac in the built‑in macOS Recovery environment, open Utilities ▸ Terminal, and launch Disk Drill using the recovery command provided in our guide (internet connection required).
Install Disk Drill’s system kernel extension (KEXT): For startup‑disk recovery, install the signed kernel extension developed by Disk Drill to gain direct, read‑only device access without disabling SIP.

How to Check Whether SIP Is Enabled

Open Terminal and run:
csrutil status

Expect one of the following:

System Integrity Protection status: enabled.
…disabled.
…enabled (Custom Configuration) or sometimes …unknown (seen when only specific protections are toggled).

You can only change SIP from macOS Recovery; macOS stores the setting in a secure policy store (Intel Macs historically used NVRAM; Apple silicon uses a LocalPolicy governed via Recovery).

Change SIP on Apple Silicon (M‑series)

Use for: temporary low‑level tasks (development, troubleshooting, some recovery workflows). Leave SIP enabled for normal use.

Shut down the Mac.
Press and hold the power button until you see Loading startup options ▸ click Options ▸ Continue.
Authenticate with an admin account.
In the top menu, open Utilities ▸ Terminal.
Run one of:
- Disable SIP completely (temporary):
  csrutil disable
- Re‑enable SIP (default):
  csrutil enable
Restart.
Verify from Terminal:
csrutil status

Change SIP on Intel Macs (with or without T2)

Restart and hold Command (⌘) + R to enter macOS Recovery.
From the menu bar, open Utilities ▸ Terminal.
Run one of:
- Disable SIP completely (temporary):
  csrutil disable
- Re‑enable SIP (default):
  csrutil enable
Restart and verify with:
csrutil status

Advanced: Partial (Granular) SIP Changes

SIP is a family of protections. On some macOS versions, Apple’s csrutil supports enabling SIP while selectively omitting specific protections (for example, filesystem, debugging, dtrace, nvram). This results in a status like “enabled (Custom Configuration)”. Example (from Recovery):

# Enable SIP but omit filesystem protection only
csrutil enable --without fs

💡 Important: Apple’s public Support pages intentionally don’t document these developer‑oriented flags and their availability can change between releases. Always confirm on your macOS by running csrutil help in Recovery, and restore defaults when finished. The official stance remains: disable protections only temporarily for development or service tasks.

For a readable (non‑Apple) overview of current flags observed in Sonoma/Sequoia era builds, see Howard Oakley’s reference.

FAQ

I Don’t Feel Safe Using Terminal and Typing Those Commands, Any Automated Way?

Yes. You can use Disk Drill’s system kernel extension (kext) to enable the low‑level, read‑only device access needed for startup‑disk recovery without disabling SIP or manually running Terminal commands.

Is It Really Safe to Keep Using My Mac When Sip is Partially Disabled?

If you are concerned with your security while SIP is partially disabled, you may take your Mac offline by disconnecting from your wired or wireless network. Though it’s not that necessary, as your file system (the protection of which you just disabled temporarily) is not accessible to anything or anyone from outside of this computer.

My Maс Boots From the External Drive, but I Still Can’t See My System Drive to Recover Lost Data From

We are aware of similar cases when users can’t access their internal drives even though their computers boot from external storage devices. When this happens, most probably your internal drive still happens to be under active protection of SIP (System Integrity Protection). This is exactly why you are reading this guide. Just disable SIP on your Mac for the time when you need to recover data from your internal drives. It’s simple and totally safe, you can re-enable it back after your files are recovered.

My External Drive is Not Visible in Disk Drill in Macos 10.15+

If your external drive is utilized as a storage for Time Machine backups, macOS Catalina (10.15) or newer might be automatically protecting as part of SIP.

.updated: August 27, 2025 author: CleverFiles Team