Home > Mac administration, Mac OS X, Scripting, System Integrity Protection > Updated System Integrity Protection status reporting script

Updated System Integrity Protection status reporting script

After writing a Casper Extension Attribute script to report on the status of System Integrity Protection, I realized that I hadn’t accounted for reporting SIP’s custom configurations. These are configurations where SIP is enabled, but one or more of SIP’s protections or restrictions has been disabled. I’ve now updated the script to also report on the following SIP configurations:

  • Kext Signing: disabled
  • Filesystem Protections: disabled
  • NVRAM Protections: disabled
  • Debugging Restrictions: disabled
  • DTrace Restrictions: disabled

For more details, please see below the jump.

The script has the following functions:

If the Mac is running 10.10.x or earlier

The script reports System Integrity Protection Not Available For and then reports the relevant version of OS X. For example, the script returns the following output on a Mac running OS X 10.10.5:

System Integrity Protection Not Available For 10.10.5

If the Mac is running 10.11.x or later

This script uses csrutil status to check SIP’s status.

If System Integrity Protection is disabled, the script returns the following output:

System Integrity Protection status: Disabled

Screen Shot 2015 12 18 at 7 59 14 AM


If System Integrity Protection is enabled, the script returns the following output:

System Integrity Protection status: Active

Screen Shot 2015 12 18 at 8 07 27 AM


If SIP has custom configurations, the script will return output similar to that shown below:

System Integrity Protection status: Active
Kext Signing: disabled
Filesystem Protections: disabled
NVRAM Protections: disabled
Debugging Restrictions: disabled
DTrace Restrictions: disabled

Screen Shot 2015 12 18 at 8 03 22 AM


This script is designed to be generic and usable by most reporting systems. I have also updated the counterpart Casper Extension Attribute with this same functionality.

For those interested, the script is available below and also from on my GitHub repo:

https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/check_system_integrity_protection_status

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: