Configure System Integrity Safety (SIP) on Amazon EC2 Mac situations

I’m happy to announce builders can now programmatically disable Apple System Integrity Safety (SIP) on their Amazon EC2 Mac situations. System Integrity Safety (SIP), also referred to as rootless, is a safety function launched by Apple in OS X El Capitan (2015, model 10.11). It’s designed to guard the system from probably dangerous software program by limiting the facility of the basis person account. SIP is enabled by default on macOS.

SIP safeguards the system by stopping modification of protected recordsdata and folders, limiting entry to system-owned recordsdata and directories, and blocking unauthorized software program from deciding on a startup disk. The first aim of SIP is to deal with the safety threat linked to unrestricted root entry, which might probably permit malware to achieve full management of a tool with only one password or vulnerability. By implementing this safety, Apple goals to make sure the next degree of safety for macOS customers, particularly contemplating that many customers function on administrative accounts with weak or no passwords.

Whereas SIP offers wonderful safety in opposition to malware for on a regular basis use, builders may sometimes have to quickly disable it for improvement and testing functions. As an illustration, when creating a brand new gadget driver or system extension, disabling SIP is critical to put in and check the code. Moreover, SIP may block entry to sure system settings required in your software program to perform correctly. Quickly disabling SIP grants you the mandatory permissions to fine-tune applications for macOS. Nevertheless, it’s essential to keep in mind that that is akin to briefly disabling the vault door for licensed upkeep, not leaving it completely open.

Disabling SIP on a Mac requires bodily entry to the machine. It’s a must to restart the machine in restoration mode, then disable SIP with the csrutil command line software, then restart the machine once more.

Till right this moment, you needed to function with the usual SIP settings on EC2 Mac situations. The bodily entry requirement and the necessity to boot in restoration mode made integrating SIP with the Amazon EC2 management aircraft and EC2 API difficult. However that’s now not the case! Now you can disable and re-enable SIP at will in your Amazon EC2 Mac situations. Let me present you ways.

Let’s see the way it works
Think about I’ve an Amazon EC2 Mac occasion began. It’s a mac2-m2.steel occasion, operating on an Apple silicon M2 processor. Disabling or enabling SIP is as simple as calling a brand new EC2 API: CreateMacSystemIntegrityProtectionModificationTask. This API is asynchronous; it begins the method of adjusting the SIP standing in your occasion. You may monitor progress utilizing one other new EC2 API: DescribeMacModificationTasks. All I have to know is the occasion ID of the machine I need to work with.

Conditions
On Apple silicon based mostly EC2 Mac situations and newer sort of machines, earlier than calling the brand new EC2 API, I have to set the ec2-user person password and allow safe token for that person on macOS. This requires connecting to the machine and typing two instructions within the terminal.

# on the goal EC2 Mac occasion
# Set a password for the ec2-user person
~ % sudo /usr/bin/dscl . -passwd /Customers/ec2-user
New Password: (MyNewPassw0rd)

# Allow safe token, with the identical password, for the ec2-user
# previous password is the one you simply set with dscl
~ % sysadminctl -newPassword MyNewPassw0rd -oldPassword MyNewPassw0rd
2025-03-05 13:16:57.261 sysadminctl[3993:3033024] Making an attempt to alter password for ec2-user…
2025-03-05 13:16:58.690 sysadminctl[3993:3033024] SecKeychainCopyLogin returned -25294
2025-03-05 13:16:58.690 sysadminctl[3993:3033024] Did not replace keychain password (-25294)
2025-03-05 13:16:58.690 sysadminctl[3993:3033024] - Completed

# The error in regards to the KeyChain is predicted. I by no means linked with the GUI on this machine, so the Login keychain doesn't exist
# you may ignore this error.  The command under exhibits the record of keychains energetic on this session
~ % safety record
    "/Library/Keychains/System.keychain"

# Confirm that the safe token is ENABLED
~ % sysadminctl -secureTokenStatus ec2-user
2025-03-05 13:18:12.456 sysadminctl[4017:3033614] Safe token is ENABLED for person ec2-user

Change the SIP standing
I don’t want to connect with the machine to toggle the SIP standing. I solely have to know its occasion ID. I open a terminal on my laptop computer and use the AWS Command Line Interface (AWS CLI) to retrieve the Amazon EC2 Mac occasion ID.

 aws ec2 describe-instances 
         --query "Reservations[].Situations[?InstanceType == 'mac2-m2.metal' ].InstanceId" 
         --output textual content

i-012a5de8da47bdff7

Now, nonetheless from the terminal on my laptop computer, I disable SIP with the create-mac-system-integrity-protection-modification-task command:

echo '{"rootVolumeUsername":"ec2-user","rootVolumePassword":"MyNewPassw0rd"}' > tmpCredentials
aws ec2 create-mac-system-integrity-protection-modification-task 
--instance-id "i-012a5de8da47bdff7" 
--mac-credentials fileb://./tmpCredentials 
--mac-system-integrity-protection-status "disabled" && rm tmpCredentials

{
    "macModificationTask": {
        "instanceId": "i-012a5de8da47bdff7",
        "macModificationTaskId": "macmodification-06a4bb89b394ac6d6",
        "macSystemIntegrityProtectionConfig": {},
        "startTime": "2025-03-14T14:15:06Z",
        "taskState": "pending",
        "taskType": "sip-modification"
    }
}

After the duty is began, I can test its standing with the aws ec2 describe-mac-modification-tasks command.

{
    "macModificationTasks": [
        {
            "instanceId": "i-012a5de8da47bdff7",
            "macModificationTaskId": "macmodification-06a4bb89b394ac6d6",
            "macSystemIntegrityProtectionConfig": {
                "debuggingRestrictions": "",
                "dTraceRestrictions": "",
                "filesystemProtections": "",
                "kextSigning": "",
                "nvramProtections": "",
                "status": "disabled"
            },
            "startTime": "2025-03-14T14:15:06Z",
            "tags": [],
            "taskState": "in-progress",
            "taskType": "sip-modification"
        },
...

The occasion initiates the method and a collection of reboots, throughout which it turns into unreachable. This course of can take 60–90 minutes to finish. After that, after I see the standing within the console turning into out there once more, I connect with the machine by means of SSH or EC2 Occasion Join, as ordinary.

➜  ~ ssh [email protected]
Warning: Completely added '54.99.9.99' (ED25519) to the record of identified hosts.
Final login: Mon Feb 26 08:52:42 2024 from 1.1.1.1

    ┌───┬──┐   __|  __|_  )
    │ ╷╭╯╷ │   _|  (     /
    │  └╮  │  ___|___|___|
    │ ╰─┼╯ │  Amazon EC2
    └───┴──┘  macOS Sonoma 14.3.1

➜  ~ uname -a
Darwin Mac-mini.native 23.3.0 Darwin Kernel Model 23.3.0: Wed Dec 20 21:30:27 PST 2023; root:xnu-10002.81.5~7/RELEASE_ARM64_T8103 arm64

➜ ~ csrutil --status 
System Integrity Safety standing: disabled.

When to disable SIP
Disabling SIP must be approached with warning as a result of it opens up the system to potential safety dangers. Nevertheless, as I discussed within the introduction of this put up, you may have to disable SIP when creating gadget drivers or kernel extensions for macOS. Some older purposes may also not perform accurately when SIP is enabled.

Disabling SIP can also be required to show off Highlight indexing. Highlight can assist you rapidly discover apps, paperwork, emails and different objects in your Mac. It’s very handy on desktop machines, however not a lot on a server. When there isn’t any have to index your paperwork as they modify, turning off Highlight will launch some CPU cycles and disk I/O.

Issues to know
There are a few extra issues to learn about disabling SIP on Amazon EC2 Mac:

• Disabling SIP is on the market by means of the API and AWS SDKs, the AWS CLI, and the AWS Administration Console.
• On Apple silicon, the setting is quantity based mostly. So in case you substitute the basis quantity, you must disable SIP once more. On Intel, the setting is Mac host based mostly, so in case you substitute the basis quantity, SIP will nonetheless be disabled.
• After disabling SIP, will probably be enabled once more in case you cease and begin the occasion. Rebooting an occasion doesn’t change its SIP standing.
• SIP standing isn’t transferable between EBS volumes. This implies SIP will probably be disabled once more after you restore an occasion from an EBS snapshot or in case you create an AMI from an occasion the place SIP is enabled.

These new APIs can be found in all Areas the place Amazon EC2 Mac is on the market, at no extra value. Attempt them right this moment.

— seb

How is the Information Weblog doing? Take this 1 minute survey!

(This survey is hosted by an exterior firm. AWS handles your info as described within the AWS Privateness Discover. AWS will personal the info gathered by way of this survey and won’t share the data collected with survey respondents.)