Imaging Without SIP?

omatsei
New Contributor III

There's a ton of information about SIP out there, but here's a question...

We have several old iMacs running Yosemite that we're going to be upgrading to El Capitan as part of our Casper workflow. This workflow also sets up a Boot Camp partition with Windows. Here's the problem... since Yosemite doesn't have SIP, we can't disable it before we image the iMacs. So it looks like we have to upgrade to El Cap, disable SIP, then image... right? Is there any way to set the initial SIP status to disabled, since it's installing El Capitan from an image we're feeding it?

8 REPLIES 8

rtrouton
Release Candidate Programs Tester

@omatsei,

Imaging shouldn't be affected by SIP, so you shouldn't need to do anything special. For more information on this, I gave a talk at JAMF Nation 2015 on SIP and included a section on how imaging works with SIP. The talk was recorded and is available via the link below:

https://www.youtube.com/watch?v=qsoNGmYWyHE (the part concerning imaging starts at 24:50.)

omatsei
New Contributor III

It's not the imaging itself that's the problem, it's that there's a Winclone package in the imaging, which sets up a Boot Camp partition with Windows.

rtrouton
Release Candidate Programs Tester

@omatsei, you may want to talk to the folks at Two Canoes about the Winclone portion. I know that they're aware of the issue, as Tim Perfitt wrote a post about SIP and Boot Camp on Two Canoe's blog:

http://blog.twocanoes.com/post/130271331763/how-el-capitan-boot-camp-is-affected-by-apples

omatsei
New Contributor III

I have a support request open with them, and they've been extremely helpful so far, but I was curious if there was a way to disable SIP as part of the Casper workflow, prior to the first boot of the OS. As simplistic as this sounds, it seems like there's a file somewhere in the El Capital installer dmg that writes the firmware, and initially enables SIP. If you could change that in the installer itself, any system built with that file would have SIP disabled from the start.

rtrouton
Release Candidate Programs Tester

@omatsei, you may want to watch the video on SIP and how it works. You can disable SIP using the csrutil tool, but you may find it challenging to work SIP being disabled into a deployment workflow.

omatsei
New Contributor III

I figured the best way to go about it is to essentially image the Macs with a barebones El Cap, then boot directly into the Recovery HD to disable SIP, then image with the "real" image. It takes a good 15 minutes longer per system, but that's the best way I can figure to start the real imaging process with SIP already disabled.

Vanegas
New Contributor

@omatsei Is your workflow an automated process? If so, can you share?

Look
Valued Contributor III

There is no friendly way of dealing with SIP that I can see, it gets even worse if you want to use Windows 10 and EFI boot.
One thing you can use if you want a relatively quick way of disabling SIP is to create an EFI booting USB with rEFInd on it configured to show the toggle for turning SIP on or off, since the latest build this will toggle the value even if it isn't populated yet, which might allow you to preload the SIP status on the machine before booting into the real imaging, but it does require a USB boot before imaging, so it's hardly automated.