I have been using an extensions attribute to identify when a Mac has SIP disabled. And a smart group based on SIP being disabled. I have a Self Service policy (or an automatic one) that is scoped to that smart group and simply runs the command
csrutil clear
and then immediately restarts the computer to re-enable SIP. It worked just fine up until I discovered that it doesn't work on Monterey and/or M1 Macs. I discovered that when I run that command manually in Terminal, now it prompts for an authorized user - which I have to type in, then it prompts for the password - which also has to be typed in. Is there a way of enabling SIP now without having to enter a user ID & PW? We are forbidden from using passwords in scripts at all. Even if we were allowed to include scripts in passwords, we're rotating admin passwords on all the Macs on a regular basis so that's out.
Why is Apple making it harder and harder to manage things?
