The error is:
cstutil: The OS environment does not allow changing security configuration options.
Ensure that the system was booted into Recovery OS via the standard user action.
But I'm already in Recovery OS.
My OS version is macos Monterey12.0.1, and my device is MacBook Pro 14'' 2021.
MacBook Pro 14″, macOS 12.0
Same issue as you on my MacOS Monterey 12.0.1, Mackbook Pro 2021 with M1 Pro. I finally figured out the solutions as follows:
**Solution 1**
Use the Security Policy in the Startup Security Utility under the Utilities menu instead of Terminal, to downgrade the SIP level. (refer to https://support.apple.com/guide/mac-help/macos-recovery-a-mac-apple-silicon-mchl82829c17/mac)
**Solution 2**
Run "csrutil clear" to clear the configuration, then "reboot". Now do the "csrutil disable" command in the Terminal.
Assuming you have entered the Recovery mode already, by holding down the Power button when powering-up/rebooting.
If you want to delete some files under the /Data volume (e.g. the notorious "/Users/Shared/Previously Relocated Items" garbage, forgot to purge before upgrading to Catalina), do "sudo mount -uw /System/Volumes/Data/" first (run in the Terminal after normal booting).
Don't forgot to enable the SIP after you have finished the job, either through the Startup Security Utility or the command "csrutil enable" in the Terminal.
BTW, I'd appreciate if someone can help to remove some files under /usr because "mount -uw" doesn't work on the "/" root directory. On my old macbook, I created a symbolic link named "X11" under /usr to run XQuartz and forgot to remove the link with it later. Unfortunately this link file became a core part of the MacOS system protected by SIP after upgrading to Big Sur...
Same issue as you on my MacOS Monterey 12.0.1, Mackbook Pro 2021 with M1 Pro. I finally figured out the solutions as follows:
**Solution 1**
Use the Security Policy in the Startup Security Utility under the Utilities menu instead of Terminal, to downgrade the SIP level. (refer to https://support.apple.com/guide/mac-help/macos-recovery-a-mac-apple-silicon-mchl82829c17/mac)
**Solution 2**
Run "csrutil clear" to clear the configuration, then "reboot". Now do the "csrutil disable" command in the Terminal.
Assuming you have entered the Recovery mode already, by holding down the Power button when powering-up/rebooting.
If you want to delete some files under the /Data volume (e.g. the notorious "/Users/Shared/Previously Relocated Items" garbage, forgot to purge before upgrading to Catalina), do "sudo mount -uw /System/Volumes/Data/" first (run in the Terminal after normal booting).
Don't forgot to enable the SIP after you have finished the job, either through the Startup Security Utility or the command "csrutil enable" in the Terminal.
BTW, I'd appreciate if someone can help to remove some files under /usr because "mount -uw" doesn't work on the "/" root directory. On my old macbook, I created a symbolic link named "X11" under /usr to run XQuartz and forgot to remove the link with it later. Unfortunately this link file became a core part of the MacOS system protected by SIP after upgrading to Big Sur...
Hi agou-ops,
As mentioned by HW-Tech, Apple has added additional security restrictions for disabling System Integrity Protection (SIP) on Macs with Apple silicon. This is because the SIP configuration is stored directly in the Security Policy (aka the LocalPolicy).
To downgrade the security policy:
If you still cannot disable System Integrity Protection after completing the above, please let me know.
Thanks for your reply. And you let me know more about MacOS and SIP.
I solved this problem by completely shutting down, then powering on, and finally restarting the computer to Recovery OS.
I have rebooted directly into Recovery OS several times before instead of shutting down completely.😂
Great to hear! It is technically possible to get into what Apple calls "1 True Recovery (1TR)" via a reboot, but you have to hold down the power button (Touch ID) as soon as the display backlight turns off. It's much easier to boot to 1TR from a shutdown state.
Also, you might want to read these documents if you're interested. They have more details on how the Secure Boot architecture works:
celleo wrote:
Same issue as you on my MacOS Monterey 12.0.1, Mackbook Pro 2021 with M1 Pro. I finally figured out the solutions as follows:
**Solution 1**
Use the Security Policy in the Startup Security Utility under the Utilities menu instead of Terminal, to downgrade the SIP level. (refer to https://support.apple.com/guide/mac-help/macos-recovery-a-mac-apple-silicon-mchl82829c17/mac)
System Integrity Protection (SIP) and the Security Policy (LocalPolicy) are not the same thing. On Macs with Apple silicon SoCs, the SIP configuration is stored inside the LocalPolicy file - SIP is a subset of the security policy. That said, you won't be able to change SIP settings in Startup Security Utility, because the Permissive Security option isn't available in Startup Security Utility. See the security levels below for more info:
Full Security: The default option, with no security downgrades permitted. Available in Startup Security Utility.
Reduced Security: Any compatible and signed version of macOS is permitted. SIP is locked as fully enabled. These options are also available:
Permissive Security: All of the options permitted by Reduced Security are also permitted here. In addition, you can boot a custom kernel (the Asahi Linux team is using this to allow booting Linux in the future). These options are also available:
To modify or disable SIP, use the csrutil command-line tool. Customizing or disabling SIP will automatically downgrade the security policy to Permissive Security.
celleo wrote:
BTW, I'd appreciate if someone can help to remove some files under /usr because "mount -uw" doesn't work on the "/" root directory. On my old macbook, I created a symbolic link named "X11" under /usr to run XQuartz and forgot to remove the link with it later. Unfortunately this link file became a core part of the MacOS system protected by SIP after upgrading to Big Sur...
In macOS Big Sur and later, your Mac boots from a cryptographically sealed snapshot. The seal is verified against the value provided by Apple at every boot. Because of this, the symlink in the usr folder must reside on the Data volume, and thus be located at: /System/Volumes/Data/usr
There are certain parts on the Data volume that are protected by SIP, such as Safari. To remove the symlink, try disabling SIP temporarily (which is most likely protecting the symlink on the Data volume).
Apple has been tightening security within macOS for years now. It sounds like Apple may be going even further with Monterey. I don't have a Monterey system to test.
👍🏻
Excerpted from `bputil` man page:
macOS 12 Monterey introduced a new concept of "paired recoveryOS", and a new set of restrictions related to it. Every installation of macOS 12 has its own paired recoveryOS with matching version stored on
the same APFS volume group. Installations of macOS 11 Big Sur are paired to a single recoveryOS stored on a separate APFS volume group called “system recoveryOS”.
By design, the SEP application which is responsible for making changes to the LocalPolicy will inspect the boot state of the main Application Processor (AP), and the pairing status between the booted OS and
the target LocalPolicy. It will only allow the below security-downgrading operations if it detects that the AP is in the intended boot state, and the OS pairing status is valid. When System Integrity
Protection (SIP) was first introduced to Macs, it was decided that requiring a reboot to recoveryOS would provide intentional friction which would make it harder for malicious software to downgrade the
system. That precedent is extended here to detect the special boot to recoveryOS via holding the power key at boot time. We refer to this as One True Recovery (1TR), and most of the below downgrade options
will only work when booted into 1TR, not when called from normal macOS or any other OS environment. This helps ensure that only a physically-present user, not malicious software running in macOS, can
permanently downgrade the security settings. The below CLI options specify what boot environments a downgrade can be performed from.
`csrutil disable` command FAILED. The OS environment does not allow changing security configuration options.