MacOS – disable SIP on a remote/headless machine running Sierra

macossip

I have a remote 2012 mac mini running Sierra. Long ago I was doing some troubleshooting and had created a secondary copy of the system on the machine. Once I had finished whatever I was doing (which I don't even remember anymore) I got my working system running again and deleted the alternate one. Trouble is since it contains system files, they are locked down by SIP and can't be deleted without disabling SIP. Which of course can only be done from recovery mode, which requires having a display and keyboard attached to the machine in question. Which I don't have.

Is there any way to:

Disable SIP without using recovery mode at all? I have found other threads (such as here and here) about this and the consensus appears to be "no", but I thought I would reiterate the question here to be thorough. Or,
Empty the trash of protected items without having to disable SIP first?

The machine is running Sierra and SIP is definitely enabled currently (csrutil status).

Best Answer

Disable SIP without using recovery mode at all? I have found other threads (such as here and here) about this and the consensus appears to be "no", but I thought I would reiterate the question here to be thorough.

System Integrity Protection cannot be disabled from a normal mode boot (from ones's Desktop). The Apple provided method is to use csrutil disable from Terminal while booted to macOS Recovery. What good would it be if it could be disabled from a normal mode boot? (Rhetorical question!)

As mentioned by David Anderson in a comment, one could use rEFInd to disable SIP, however, this cannot be done from a normal mode boot (from ones's Desktop) and would require having rEFInd installed and rebooting the system to rEFInd, which you'd have no control of from a headless-system without a keyboard.

Empty the trash of protected items without having to disable SIP first?

From a normal mode boot (from one's Desktop), no, however one can delete the various .Trashes and .Trash directories from Terminal in macOS Recovery without disabling SIP and then reboot back to normal mode boot and those directories will be recreated.

What good would SIP be if one could bypass its restrictions from a normal mode boot? (Rhetorical question!)

Obviously, you'll need to temporarily add a keyboard and monitor to the Mac mini to boot to macOS Recovery in order to resolve the issue.

Background

My environment

Host

Windows 10
VMWare Workstation 12 (patched to run macOS)

Guest

macOS High Sierra 10.13.4

I originally tried adding macosguest.forceRecoveryModeInstall = "TRUE" to my .vmx config. This allowed me to boot into recovery and could disable SIP but then I couldn't get the VM to boot normally, even after removing that line.

The solution to this problem I found was to just delete the .nvram file. Unfortunately, that's where the flag to disable SIP is stored so when my VM came back up SIP was enabled again.

My Solution

From the Terminal, run the following commands (thanks to G5tube for this suggestion)
```
 sudo nvram "recovery-boot-mode=unused"
 sudo reboot recovery
```
The second command will reboot your Mac instantly, so better save any unfinished work first.
Once the Mac has rebooted into the Recovery / Installer system (you may have to choose your language first): From the menu bar, click Utilities > Terminal
Run csrutil disable from the terminal, followed by reboot
Once your VM has rebooted normally you can verify that SIP was disabled by opening a terminal and running csrutil status

To turn SIP back on, follow the same steps as above but run csrutil enable at the recovery terminal instead.

MacOS – csrutil: command not found

The netboot image loaded by booting to Internet Recovery Mode apparently doesn't contain the executable csrutil.

The OS X Base System loaded while booting to Recovery Mode should contain it though. By pressing cmdR a 2-step procedure is initiated: First the Mac is booted to Recovery HD and then after expanding BaseSystem.dmg to "OS X Base System" (which is the name of the mounted BaseSystem.dmg). If you see an animated globe after pressing cmdR your Mac probably doesn't have a Recovery HD.

Check the system version (or product version) of the Recovery HD/Base System:

To check the system version (1 in the screenshot below), boot to your main volume and enter the following in Terminal:

diskutil list #to get the disk identifier of your Recovery HD; usually it's disk0s3 with a size of ~650 MB
diskutil mount disk0s3
cat /Volumes/Recovery\ HD/com.apple.recovery.boot/SystemVersion.plist | grep -A 2 ProductVersion

Additionally you may mount BaseSystem.dmg and check the system version (2 in the screenshot below) there also:

open /Volumes/Recovery\ HD/com.apple.recovery.boot/BaseSystem.dmg
cat /Volumes/OS\ X\ Base\ System/System/Library/CoreServices/SystemVersion.plist | grep -A 2 ProductVersion

Download and reinstall the latest OS X El Capitan full installer if the system version of the base system is 10.10.x or lower.