How to write to a Catalina Read Only File System directory

Contributor II

In my Public Lab Configurations I have always had to customize the Directory Utility Authentication Search Policy for our AD Domain. Since we have more than one domain in our forest, I have always had to set the Authentication Search Path to one specific domain, vs. All Domains. I have done this by customizing the
Library -> Preferences -> OpenDirectory -> Configurations -> Search.plist as such: /Active Directory/BU/••.b••••••••
/Active Directory/BU/All Domains

packaging it up and deploying it via a policy.

Now, with Catalina I am prevented from writing this file to the Configurations directory unless I disable SIP. “Operation Not Permitted”

Does anyone has a suggestion how I can customize the Search.plist while keeping SIP enabled?

I do have my Jamf Pro Server —> Directory Bindings —> Administrative configuration set to:
Allow authentication from any domain in the forest —> Unchecked.

But this has never had any affect on the Authentication Search Path.

I've been testing different variations Privacy Preference Policy Control payloads for Directory Utility and Terminal, but no success so far.