cannot enable SIP on M1

Hi jcrowley99,

On Macs with Apple silicon, System Integrity Protection is tied directly to the Secure Boot policy. There are three security levels available:

Full Security: This is the default and most secure option, with all security downgrades disabled. Your Mac "personalizes" macOS and ties it directly to your Mac using the serial number (ECID) of the CPU. This process requires an Internet connection, and happens whenever you install or update macOS, or when you request Full Security.

Reduced Security: This option doesn't personalize macOS to your Mac, and doesn't require an Internet connection to Apple servers. This allows for booting old versions of macOS that Apple no longer actively signs. Additionally, you can also permit signed third-party kernel extensions, or if you're in a corporate environment, you can allow mobile device management (MDM) to manage updates and kernel extensions. All other security mechanisms remain enabled.

Permissive Security: This is the least secure option, and is hidden from Startup Security Utility. macOS isn't personalized, and you can even boot a custom kernel (such as m1n1 to load Asahi Linux). All available security downgrades are permitted at this security level. This is also the only security level that permits you to customize or disable SIP.

When you ran "csrutil disable" in macOS Recovery, it automatically downgraded your Secure Boot settings to Permissive Security, and disabled SIP. Now, when you're trying to run "csrutil enable" and consent to raising system security, your Mac is trying to return to Full Security (and lock in SIP as fully enabled). Part of that process involves contacting the Apple servers and personalizing macOS to your Mac, which requires an Internet connection.

Try one of these options to resolve the issue in macOS Recovery:

• In the top right corner of the screen, select the Wi-Fi icon, and connect to a Wi-Fi network. Choose a network that doesn't have a captive portal (such as hotel networks, where a webpage appears after joining the network). Or, connect your Mac to Ethernet using an adapter. Then, try running "csrutil enable" again.

• Quit Terminal, and open Startup Security Utility. Choose Reduced Security, then apply the changes. (This automatically locks SIP to its fully enabled state.)

jcrowley99 wrote:

Had to disable SIP on MacBook Pro M1 running Monterey 12.3 to test something. That went as expected - boot into recovery mode, select Options, select Utilities -> terminal, csrutil disable, ...

But now cannot re-enable SIP. Go into recovery mode, get to Utilities -> terminal, enter csrutil enable, get the expected question and answer y.

Prompts for username and pwd (did this 4 times in case I was fat-fingering the pwd).

Pauses for a while then says something like: Failed ... Cannot continue because you are not connected to the internet.

Any ideas?

Thx

You can reset SIP from your Terminal.app easy enough no r̶e̶b̶o̶o̶t̶ Recovery required.

check your status, copy and paste:

csrutil status

to enable SIP copy and paste:

 sudo csrutil clear

(note— your psswd will not echo type it in anway, to proceed use the enter\return key)

reboot if necessary, check your status.

if you have an issue, verify you added Terminal to Full Disk Access

jcrowley99 wrote:

This worked! Thanks so much. Thought that both the disable and enable had to be executed from the safe-boot mode.

Also from terminal csrutil enable gives an error message that it must be issued from safe-boot mode, but csrutil clear works directly and re-enables it. Not very intuitive!

Thanks again ....

Right...

Macs built in Security uses these to combat malware, not advised to dismiss these defaults.

 Gatekeeper mechanism, central to security services, which tries to ensure that any code loaded is ‘safe’. Code signatures are only part of this.

 XProtect checks the security and integrity of files, including in broader ways too, vulnerable document types, such as JPEG images, are also screened to ensure that they’re not malicious.

 MRT (Malware Removal Tool) an app which often complements XProtect’s signature-based screening, and can automatically remove all traces of many different species of malware.

 SIP (System Integrity Protection) which ensures that nothing can tamper with key system files, or even Apple’s bundled apps.

ref: macOS - Security - Apple 

macOS - Security - Apple

ref: Apple Platform Security - Apple 

https://support.apple.com/guide/security/welcome/web

https://manuals.info.apple.com/MANUALS/1000/MA1902/en_US/apple-platform-security-guide.pdf

leroydouglas wrote:

https://manuals.info.apple.com/MANUALS/1000/MA1902/en_US/apple-platform-security-guide.pdf

That’s the old version. There’s a May 2022 update:

… https://help.apple.com/pdf/security/en_US/apple-platform-security-guide.pdf

(And might want to add the write-protected boot volume to that list.)

MrHoffman wrote:

There’s a May 2022 update:

… https://help.apple.com/pdf/security/en_US/apple-platform-security-guide.pdf

(And might want to add the write-protected boot volume to that list.)

Thanks MrHoffman much appreciated.

Reload macOS.

That should not clobber your existing files and documents (so long as you do not erase), but do have backups anyway.