You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

`csrutil disable` command FAILED. The OS environment does not allow changing security configuration options.


The error is:

cstutil: The OS environment does not allow changing security configuration options.

Ensure that the system was booted into Recovery OS via the standard user action.


But I'm already in Recovery OS.

My OS version is macos Monterey12.0.1, and my device is MacBook Pro 14'' 2021.

MacBook Pro 14″, macOS 12.0

Posted on Nov 23, 2021 11:40 PM

Reply
Question marked as Top-ranking reply

Posted on Dec 2, 2021 8:43 AM

Same issue as you on my MacOS Monterey 12.0.1, Mackbook Pro 2021 with M1 Pro. I finally figured out the solutions as follows:

**Solution 1**

Use the Security Policy in the Startup Security Utility under the Utilities menu instead of Terminal, to downgrade the SIP level. (refer to https://support.apple.com/guide/mac-help/macos-recovery-a-mac-apple-silicon-mchl82829c17/mac)

**Solution 2**

Run "csrutil clear" to clear the configuration, then "reboot". Now do the "csrutil disable" command in the Terminal.

Assuming you have entered the Recovery mode already, by holding down the Power button when powering-up/rebooting.


If you want to delete some files under the /Data volume (e.g. the notorious "/Users/Shared/Previously Relocated Items" garbage, forgot to purge before upgrading to Catalina), do "sudo mount -uw /System/Volumes/Data/" first (run in the Terminal after normal booting).


Don't forgot to enable the SIP after you have finished the job, either through the Startup Security Utility or the command "csrutil enable" in the Terminal.


BTW, I'd appreciate if someone can help to remove some files under /usr because "mount -uw" doesn't work on the "/" root directory. On my old macbook, I created a symbolic link named "X11" under /usr to run XQuartz and forgot to remove the link with it later. Unfortunately this link file became a core part of the MacOS system protected by SIP after upgrading to Big Sur...

7 replies
Question marked as Top-ranking reply

Dec 2, 2021 8:43 AM in response to agou-ops

Same issue as you on my MacOS Monterey 12.0.1, Mackbook Pro 2021 with M1 Pro. I finally figured out the solutions as follows:

**Solution 1**

Use the Security Policy in the Startup Security Utility under the Utilities menu instead of Terminal, to downgrade the SIP level. (refer to https://support.apple.com/guide/mac-help/macos-recovery-a-mac-apple-silicon-mchl82829c17/mac)

**Solution 2**

Run "csrutil clear" to clear the configuration, then "reboot". Now do the "csrutil disable" command in the Terminal.

Assuming you have entered the Recovery mode already, by holding down the Power button when powering-up/rebooting.


If you want to delete some files under the /Data volume (e.g. the notorious "/Users/Shared/Previously Relocated Items" garbage, forgot to purge before upgrading to Catalina), do "sudo mount -uw /System/Volumes/Data/" first (run in the Terminal after normal booting).


Don't forgot to enable the SIP after you have finished the job, either through the Startup Security Utility or the command "csrutil enable" in the Terminal.


BTW, I'd appreciate if someone can help to remove some files under /usr because "mount -uw" doesn't work on the "/" root directory. On my old macbook, I created a symbolic link named "X11" under /usr to run XQuartz and forgot to remove the link with it later. Unfortunately this link file became a core part of the MacOS system protected by SIP after upgrading to Big Sur...

Nov 24, 2021 5:24 PM in response to agou-ops

Hi agou-ops,


As mentioned by HW-Tech, Apple has added additional security restrictions for disabling System Integrity Protection (SIP) on Macs with Apple silicon. This is because the SIP configuration is stored directly in the Security Policy (aka the LocalPolicy).


To downgrade the security policy:


  • You must shut down or power off your Mac, then press and hold the power button (Touch ID) to load Startup Options. Holding down the power button proves that a human, not malicious software, is requesting a downgraded security policy. If you landed in macOS Recovery without holding down the power button, you won't be able to downgrade the security policy until you shut down or restart.


  • In macOS Monterey or future, you must start up from the copy of macOS Recovery that is paired to your startup disk. This should only be an issue if you have multiple copies of macOS installed. To fix this issue, start up in macOS Recovery, click the Apple logo, select Startup Disk, select your startup disk (likely Macintosh HD), and restart. Then try starting up in macOS Recovery again.


If you still cannot disable System Integrity Protection after completing the above, please let me know.

Nov 24, 2021 6:03 PM in response to agou-ops

Great to hear! It is technically possible to get into what Apple calls "1 True Recovery (1TR)" via a reboot, but you have to hold down the power button (Touch ID) as soon as the display backlight turns off. It's much easier to boot to 1TR from a shutdown state.


Also, you might want to read these documents if you're interested. They have more details on how the Secure Boot architecture works:


  • The bputil man page (in macOS, open Terminal, and search for bputil under the Help menu).


Dec 3, 2021 5:54 PM in response to celleo

celleo wrote:

Same issue as you on my MacOS Monterey 12.0.1, Mackbook Pro 2021 with M1 Pro. I finally figured out the solutions as follows:
**Solution 1**
Use the Security Policy in the Startup Security Utility under the Utilities menu instead of Terminal, to downgrade the SIP level. (refer to https://support.apple.com/guide/mac-help/macos-recovery-a-mac-apple-silicon-mchl82829c17/mac)

System Integrity Protection (SIP) and the Security Policy (LocalPolicy) are not the same thing. On Macs with Apple silicon SoCs, the SIP configuration is stored inside the LocalPolicy file - SIP is a subset of the security policy. That said, you won't be able to change SIP settings in Startup Security Utility, because the Permissive Security option isn't available in Startup Security Utility. See the security levels below for more info:


Full Security: The default option, with no security downgrades permitted. Available in Startup Security Utility.


Reduced Security: Any compatible and signed version of macOS is permitted. SIP is locked as fully enabled. These options are also available:

  • Allow notarized kernel extensions
  • Allow MDM to manage kernel extensions and software updates


Permissive Security: All of the options permitted by Reduced Security are also permitted here. In addition, you can boot a custom kernel (the Asahi Linux team is using this to allow booting Linux in the future). These options are also available:

  • Modify the SIP configuration
  • Disable Kernel Integrity Protection (disable CTRR)
  • Disable Signed System Volume verification
  • Allow all boot arguments (including Single User Mode)


To modify or disable SIP, use the csrutil command-line tool. Customizing or disabling SIP will automatically downgrade the security policy to Permissive Security.


celleo wrote:

BTW, I'd appreciate if someone can help to remove some files under /usr because "mount -uw" doesn't work on the "/" root directory. On my old macbook, I created a symbolic link named "X11" under /usr to run XQuartz and forgot to remove the link with it later. Unfortunately this link file became a core part of the MacOS system protected by SIP after upgrading to Big Sur...

In macOS Big Sur and later, your Mac boots from a cryptographically sealed snapshot. The seal is verified against the value provided by Apple at every boot. Because of this, the symlink in the usr folder must reside on the Data volume, and thus be located at: /System/Volumes/Data/usr


There are certain parts on the Data volume that are protected by SIP, such as Safari. To remove the symlink, try disabling SIP temporarily (which is most likely protecting the symlink on the Data volume).

Nov 24, 2021 6:23 PM in response to Encryptor5000

👍🏻

Excerpted from `bputil` man page:

     macOS 12 Monterey introduced a new concept of "paired recoveryOS", and a new set of restrictions related to it. Every installation of macOS 12 has its own paired recoveryOS with matching version stored on
     the same APFS volume group. Installations of macOS 11 Big Sur are paired to a single recoveryOS stored on a separate APFS volume group called “system recoveryOS”.

     By design, the SEP application which is responsible for making changes to the LocalPolicy will inspect the boot state of the main Application Processor (AP), and the pairing status between the booted OS and
     the target LocalPolicy. It will only allow the below security-downgrading operations if it detects that the AP is in the intended boot state, and the OS pairing status is valid. When System Integrity
     Protection (SIP) was first introduced to Macs, it was decided that requiring a reboot to recoveryOS would provide intentional friction which would make it harder for malicious software to downgrade the
     system. That precedent is extended here to detect the special boot to recoveryOS via holding the power key at boot time. We refer to this as One True Recovery (1TR), and most of the below downgrade options
     will only work when booted into 1TR, not when called from normal macOS or any other OS environment. This helps ensure that only a physically-present user, not malicious software running in macOS, can
     permanently downgrade the security settings. The below CLI options specify what boot environments a downgrade can be performed from.

`csrutil disable` command FAILED. The OS environment does not allow changing security configuration options.

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.