Disabled mac os SIP but still can't delete default apps
https://apple.stackexchange.com/questions/414185
-
01-06-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I'm using mac os 11.2.1 Big Sur. My question concerns using the Terminal utility to delete Apple default apps protected by SIP. I have disabled System Integrity Protection and confirmed that it is off by typing:
csrutil
Terminal duly returns "disabled" to confirm that SIP is definitely off. I then attempted to delete various Apple default apps, as follows:
sudo rm -rf FaceTime.app/
sudo rm -rf TV.app/
sudo rm -rf Mail.app/
But nothing seems to happen. The apps are still in my Applications folder and launch normally. If I try to delete them manually, I get a beep and the deletion is rejected just as if SIP were still enabled.
Can someone suggest a better way to remove Mail?
Solution
Big Sur seals the system and signs it cryptographically - deleting parts of the system is no longer as simple as politely asking SIP to stand down for a moment.
You might find it far easier to prevent these apps from launching using restrictions or screen time. The effort required to surgically remove apps is far more than it was in the past.
Here's how to check if your volume is still sealed before / after trying to tamper with it.
csrutil authenticated-root status
Here is an article that goes very deep into which portions of the system you can expect to change and which have added security protection.
In macOS Mojave 10.14, macOS boots from a single APFS volume, in which sensitive system folders and files are mixed with those which users can write to. The main protections provided to the system come from classical Unix permissions with the addition of System Integrity Protection (SIP)
Catalina 10.15 changes that by splitting the boot volume into two: the System and Data volumes, making up an APFS Volume Group. Immutable system files now reside on the System volume, which not only has complete protection by SIP, but is normally mounted read-only.
Although Big Sur uses the same protected System volume and APFS Volume Group as Catalina, it changes the way that volume is protected to make it an even greater challenge for those developing malicious software: welcome to the Signed System Volume (SSV).
There is support to make changes to the SSV:
- Boot to recovery
csrutil authenticated-root disable- Manually mount the correct filesystem - make your changes
- Make a new snapshot and tell the system trust this non-SSV authenticated system.
sudo bless --folder /[mountpath]/System/Library/CoreServices --bootefi --create-snapshot
I don't know a good way to show you how to find your snapshot yet - so you'll need to do some digging and learning and report back if you find a "cookie cutter" process that handles things.
