You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: jcrowley99
jcrowley99 Author
User level: Level 1
15 points

cannot enable SIP on M1

Had to disable SIP on MacBook Pro M1 running Monterey 12.3 to test something. That went as expected - boot into recovery mode, select Options, select Utilities -> terminal, csrutil disable, ...


But now cannot re-enable SIP. Go into recovery mode, get to Utilities -> terminal, enter csrutil enable, get the expected question and answer y.


Prompts for username and pwd (did this 4 times in case I was fat-fingering the pwd).


Pauses for a while then says something like: Failed ... Cannot continue because you are not connected to the internet.


Any ideas?

Thx

Posted on Jun 10, 2022 1:22 PM

Reply
Question marked as Top-ranking reply
User profile for user: Encryptor5000
Encryptor5000
User level: Level 5
7,568 points

Posted on Jun 11, 2022 8:51 AM

Hi jcrowley99,


On Macs with Apple silicon, System Integrity Protection is tied directly to the Secure Boot policy. There are three security levels available:


Full Security: This is the default and most secure option, with all security downgrades disabled. Your Mac "personalizes" macOS and ties it directly to your Mac using the serial number (ECID) of the CPU. This process requires an Internet connection, and happens whenever you install or update macOS, or when you request Full Security.


Reduced Security: This option doesn't personalize macOS to your Mac, and doesn't require an Internet connection to Apple servers. This allows for booting old versions of macOS that Apple no longer actively signs. Additionally, you can also permit signed third-party kernel extensions, or if you're in a corporate environment, you can allow mobile device management (MDM) to manage updates and kernel extensions. All other security mechanisms remain enabled.


Permissive Security: This is the least secure option, and is hidden from Startup Security Utility. macOS isn't personalized, and you can even boot a custom kernel (such as m1n1 to load Asahi Linux). All available security downgrades are permitted at this security level. This is also the only security level that permits you to customize or disable SIP.



When you ran "csrutil disable" in macOS Recovery, it automatically downgraded your Secure Boot settings to Permissive Security, and disabled SIP. Now, when you're trying to run "csrutil enable" and consent to raising system security, your Mac is trying to return to Full Security (and lock in SIP as fully enabled). Part of that process involves contacting the Apple servers and personalizing macOS to your Mac, which requires an Internet connection.


Try one of these options to resolve the issue in macOS Recovery:


  • In the top right corner of the screen, select the Wi-Fi icon, and connect to a Wi-Fi network. Choose a network that doesn't have a captive portal (such as hotel networks, where a webpage appears after joining the network). Or, connect your Mac to Ethernet using an adapter. Then, try running "csrutil enable" again.


  • Quit Terminal, and open Startup Security Utility. Choose Reduced Security, then apply the changes. (This automatically locks SIP to its fully enabled state.)
View in context

Similar questions

7 replies
Question marked as Top-ranking reply
User profile for user: Encryptor5000
Encryptor5000
User level: Level 5
7,568 points

Jun 11, 2022 8:51 AM in response to jcrowley99

Hi jcrowley99,


On Macs with Apple silicon, System Integrity Protection is tied directly to the Secure Boot policy. There are three security levels available:


Full Security: This is the default and most secure option, with all security downgrades disabled. Your Mac "personalizes" macOS and ties it directly to your Mac using the serial number (ECID) of the CPU. This process requires an Internet connection, and happens whenever you install or update macOS, or when you request Full Security.


Reduced Security: This option doesn't personalize macOS to your Mac, and doesn't require an Internet connection to Apple servers. This allows for booting old versions of macOS that Apple no longer actively signs. Additionally, you can also permit signed third-party kernel extensions, or if you're in a corporate environment, you can allow mobile device management (MDM) to manage updates and kernel extensions. All other security mechanisms remain enabled.


Permissive Security: This is the least secure option, and is hidden from Startup Security Utility. macOS isn't personalized, and you can even boot a custom kernel (such as m1n1 to load Asahi Linux). All available security downgrades are permitted at this security level. This is also the only security level that permits you to customize or disable SIP.



When you ran "csrutil disable" in macOS Recovery, it automatically downgraded your Secure Boot settings to Permissive Security, and disabled SIP. Now, when you're trying to run "csrutil enable" and consent to raising system security, your Mac is trying to return to Full Security (and lock in SIP as fully enabled). Part of that process involves contacting the Apple servers and personalizing macOS to your Mac, which requires an Internet connection.


Try one of these options to resolve the issue in macOS Recovery:


  • In the top right corner of the screen, select the Wi-Fi icon, and connect to a Wi-Fi network. Choose a network that doesn't have a captive portal (such as hotel networks, where a webpage appears after joining the network). Or, connect your Mac to Ethernet using an adapter. Then, try running "csrutil enable" again.


  • Quit Terminal, and open Startup Security Utility. Choose Reduced Security, then apply the changes. (This automatically locks SIP to its fully enabled state.)
Reply
User profile for user: leroydouglas
leroydouglas
Community+ 2024
User level: Level 10
188,532 points

Jun 11, 2022 9:08 AM in response to jcrowley99

jcrowley99 wrote:

Had to disable SIP on MacBook Pro M1 running Monterey 12.3 to test something. That went as expected - boot into recovery mode, select Options, select Utilities -> terminal, csrutil disable, ...

But now cannot re-enable SIP. Go into recovery mode, get to Utilities -> terminal, enter csrutil enable, get the expected question and answer y.

Prompts for username and pwd (did this 4 times in case I was fat-fingering the pwd).

Pauses for a while then says something like: Failed ... Cannot continue because you are not connected to the internet.

Any ideas?
Thx


You can reset SIP from your Terminal.app easy enough no r̶e̶b̶o̶o̶t̶ Recovery required.


check your status, copy and paste:

csrutil status


to enable SIP copy and paste:

 sudo csrutil clear



(note— your psswd will not echo type it in anway, to proceed use the enter\return key)


reboot if necessary, check your status.



if you have an issue, verify you added Terminal to Full Disk Access


Reply
User profile for user: leroydouglas
leroydouglas
Community+ 2024
User level: Level 10
188,532 points

Jun 11, 2022 9:34 AM in response to jcrowley99

jcrowley99 wrote:

This worked! Thanks so much. Thought that both the disable and enable had to be executed from the safe-boot mode.

Also from terminal csrutil enable gives an error message that it must be issued from safe-boot mode, but csrutil clear works directly and re-enables it. Not very intuitive!

Thanks again ....



Right...


Macs built in Security uses these to combat malware, not advised to dismiss these defaults.


 Gatekeeper mechanism, central to security services, which tries to ensure that any code loaded is ‘safe’. Code signatures are only part of this.


 XProtect checks the security and integrity of files, including in broader ways too, vulnerable document types, such as JPEG images, are also screened to ensure that they’re not malicious.


 MRT (Malware Removal Tool) an app which often complements XProtect’s signature-based screening, and can automatically remove all traces of many different species of malware.


 SIP (System Integrity Protection) which ensures that nothing can tamper with key system files, or even Apple’s bundled apps.



ref: macOS - Security - Apple 

macOS - Security - Apple


ref: Apple Platform Security - Apple 

https://support.apple.com/guide/security/welcome/web


https://manuals.info.apple.com/MANUALS/1000/MA1902/en_US/apple-platform-security-guide.pdf




Reply

cannot enable SIP on M1

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up