MacOS – Disable System Integrity Protection on OS X running on VMware

macosSecurityvirtualizationvmware

I have an instance of OS X El Capitan running on VMWare Workstation 10. I need to make changes to /System and therefor have to disable System Integrity Protection. How do I access recovery mode on this VM so I can disable SIP?

Best Answer

I know this is an older question but I came across it looking for a solution to this problem so I figured I would submit an answer that contains all of the info I came across in one place.

Background

My environment

Host

Windows 10
VMWare Workstation 12 (patched to run macOS)

Guest

macOS High Sierra 10.13.4

I originally tried adding macosguest.forceRecoveryModeInstall = "TRUE" to my .vmx config. This allowed me to boot into recovery and could disable SIP but then I couldn't get the VM to boot normally, even after removing that line.

The solution to this problem I found was to just delete the .nvram file. Unfortunately, that's where the flag to disable SIP is stored so when my VM came back up SIP was enabled again.

My Solution

From the Terminal, run the following commands (thanks to G5tube for this suggestion)
```
 sudo nvram "recovery-boot-mode=unused"
 sudo reboot recovery
```
The second command will reboot your Mac instantly, so better save any unfinished work first.
Once the Mac has rebooted into the Recovery / Installer system (you may have to choose your language first): From the menu bar, click Utilities > Terminal
Run csrutil disable from the terminal, followed by reboot
Once your VM has rebooted normally you can verify that SIP was disabled by opening a terminal and running csrutil status

To turn SIP back on, follow the same steps as above but run csrutil enable at the recovery terminal instead.

Related Solutions

MacOS – How to disable System Integrity Protection (SIP) AKA “rootless” on macOs [OS X]

Apple's documentation covers disabling SIP, About System Integrity Protection on your Mac and Configuring System Integrity Protection.

An article on lifehacker.com lists these steps:

Reboot your Mac into Recovery Mode by restarting your computer and holding down Command+R until the Apple logo appears on your screen.

Click Utilities > Terminal.

In the Terminal window, type in csrutil disable and press Enter.

Restart your Mac.

You can verify whether a file or folder is restricted by issuing this ls command using the capital O (and not zero 0) to modify the long listing flag:

ls -lO /System /usr

Look for the restricted text to indicate where SIP is enforced.

By default (=SIP enabled), the following folders are restricted (see Apple Support page):

/System
/usr
/bin
/sbin
Apps that are pre-installed with OS X

... and the following folders are free:

/Applications
/Library
/usr/local

MacOS – Permanently Disabling System Integrity Protection

There should be no extra step required - in fact, reading through the excellent article linked from that question, I found this…

Because SIP’s configuration is stored in NVRAM, SIP’s protection settings will apply to the entire machine and will persist even if the OS is reinstalled.

This would perhaps imply your NVRAM is not correctly holding data -
perhaps try a reset, Cmd ⌘ Opt ⌥ P R at the chimes & keep holding until you hear the chimes a second time.

Source : System Integrity Protection – Adding another layer to Apple’s security model

If after resetting NVRAM one time, you can’t make SIP status stick the next steps are to repair and wipe your drive and then seek hardware service is a freshly erased and reinstalled OS won’t allow you to disable SIP.