System Integrity Protection and OS upgrades vs imaging?

Contributor III

Regarding System Integrity Protection (aka "rootless"), I've just read something yesterday suggesting that when a Mac is upgraded in-place from a non-rootless macOS version to a rootless macOS version, SIP will take away files from restricted folders that it thinks aren't meant to be there.

Can anyone confirm that this is the case, and does the process simply delete the files, or does it move them somewhere? If it moves them somewhere, can anyone tell me where?

Also, am I right in thinking that because of the way the Jamf Imaging process works, rootless doesn't apply during imaging, and so packages that would normally not be able to install correctly due to the rootless restrictions, are installed fine because SIP is not in operation while the Mac is booted off the NetBoot/Jamf Imaging image?

Dan Jackson (Senior ITServices Technician)
Long Road Sixth Form College
Cambridge, UK.


Contributor II


You're probably better asking, what's being written to those folders and why. SIP protected folders shouldn't be used for anything apart from OS level stuff.

If you need to write files somewhere then /usr/local/

I've not tried installing anything that needs SIP turned when imaging, but if you do have applications that require this then it's time to take a look at those and find a workaround. SIP was introduced years ago now so vendors have had more than enough time to fix their software to take this into account.

What issues are you trying to mitigate with this?