Help

Turning off SIP within base DMG image (before installation)

jeremyh
New Contributor

Posted on ‎11-02-2015 10:41 AM

So it has been requested to turn off SIP (aka "rootless") within the base DMG image. Typically the workflow went as follows:

  1. Download Installer from App Store
  2. Use AutoDMG to create the standard DMG file.
  3. place that file in the Casper Repo for block level deployment with Casper Imaging

to Disable rootless successfully (from what I have read so far) you need to boot to the recovery partition, open terminal and use 'csrutil'. This creates the issue below...

  • Once I boot to the Recovery Partition of the AutoDMG'ed dmg image, to turn off rootless. I need to repackage it as a new DMG. I can use DiskUtility for this quite easily but it almost doubles the size of the dmg image. So now each iteration of osx is doubled in size...

Is there a better way of accomplishing this? Is my understanding correct in that the Recovery Partition is what is causing the balloon in size?

Any help appreciated as there seems to be not much documentation on this so far.

0 Kudos
Reply
5 REPLIES 5

alexjdale
Valued Contributor III

Posted on ‎11-02-2015 10:51 AM

I haven't gone through this since there is no way I will turn off SIP (it's too important), but you should be able to figure out why the size is increasing and address it. The recovery partition should not be changing in size at all, is the OS DMG partition increasing? Are you ever booting to the OS itself, which could be creating a swapfile or something like that? Are you using the right DMG type in Disk Utility (compressed, read-only I imagine)?

0 Kudos
Reply

davidacland
Honored Contributor II

Posted on ‎11-02-2015 11:11 AM

Do you mean once you capture the final DMG with SIP disabled, it's twice the size of the original AutoDMG image?

Regarding documentation, I think you're going to be fairly lonely in that area unfortunately. As an MSP, we've taken the descision to not document, blog or otherwise share info regarding disabling SIP. It's just too frowned upon.

Just out of interest, what's the need for disabling SIP in your case?

0 Kudos
Reply

thoule
Valued Contributor II

Posted on ‎11-02-2015 11:20 AM

I wouldn't disable it - it's important and Apple is pushing it, which means you'll be swimming upstream here. There is a rootless.conf file in /System/Library/Sandbox/rootless.conf. You could try messing with that but I feel like I'm giving a gun to a kid here. Don't shoot yourself.

0 Kudos
Reply

rtrouton
Release Candidate Programs Tester

Posted on ‎11-02-2015 02:41 PM

SIP's active configuration is stored in NVRAM, not on disk. Trying to build an image that includes SIP being off is not going to be a successful process unless part of the process includes:

A. Booting to the Recovery environment
B. Running "csrutil disable" while booted into the Recovery environment.

This process would have to be repeated on every machine you want to disable SIP on. It will not be included with the image because the configuration SIP is referencing isn't stored in the image, it's in NVRAM.

I have several posts on SIP and how it works available from here:

https://derflounder.wordpress.com/category/system-integrity-protection/

0 Kudos
Reply

calumhunter
Valued Contributor

Posted on ‎11-02-2015 03:29 PM

Edit: And Rich beat me to it!

That won't disable it.

The setting is stored in NVRAM, not on disk. You can't "capture" a sip disabled OS DMG

0 Kudos
Reply