Configure System Integrity Safety (SIP) on Amazon EC2 Mac cases

I’m happy to announce builders can now programmatically disable Apple System Integrity Safety (SIP) on their Amazon EC2 Mac cases. System Integrity Safety (SIP), often known as rootless, is a safety characteristic launched by Apple in OS X El Capitan (2015, model 10.11). It’s designed to guard the system from probably dangerous software program by limiting the facility of the basis person account. SIP is enabled by default on macOS.

SIP safeguards the system by stopping modification of protected information and folders, limiting entry to system-owned information and directories, and blocking unauthorized software program from choosing a startup disk. The first purpose of SIP is to handle the safety danger linked to unrestricted root entry, which might probably permit malware to achieve full management of a tool with only one password or vulnerability. By implementing this safety, Apple goals to make sure a better degree of safety for macOS customers, particularly contemplating that many customers function on administrative accounts with weak or no passwords.

Whereas SIP gives glorious safety in opposition to malware for on a regular basis use, builders would possibly often must briefly disable it for growth and testing functions. As an illustration, when creating a brand new system driver or system extension, disabling SIP is critical to put in and check the code. Moreover, SIP would possibly block entry to sure system settings required in your software program to perform correctly. Briefly disabling SIP grants you the required permissions to fine-tune applications for macOS. Nonetheless, it’s essential to do not forget that that is akin to briefly disabling the vault door for licensed upkeep, not leaving it completely open.

Disabling SIP on a Mac requires bodily entry to the machine. It’s important to restart the machine in restoration mode, then disable SIP with the csrutil command line instrument, then restart the machine once more.

Till right this moment, you needed to function with the usual SIP settings on EC2 Mac cases. The bodily entry requirement and the necessity to boot in restoration mode made integrating SIP with the Amazon EC2 management aircraft and EC2 API difficult. However that’s now not the case! Now you can disable and re-enable SIP at will in your Amazon EC2 Mac cases. Let me present you the way.

Let’s see the way it works
Think about I’ve an Amazon EC2 Mac occasion began. It’s a mac2-m2.metallic occasion, working on an Apple silicon M2 processor. Disabling or enabling SIP is as easy as calling a brand new EC2 API: CreateMacSystemIntegrityProtectionModificationTask. This API is asynchronous; it begins the method of adjusting the SIP standing in your occasion. You may monitor progress utilizing one other new EC2 API: DescribeMacModificationTasks. All I must know is the occasion ID of the machine I need to work with.

Stipulations
On Apple silicon primarily based EC2 Mac cases and more moderen sort of machines, earlier than calling the brand new EC2 API, I need to set the ec2-user person password and allow safe token for that person on macOS. This requires connecting to the machine and typing two instructions within the terminal.

# on the goal EC2 Mac occasion
# Set a password for the ec2-user person
~ % sudo /usr/bin/dscl . -passwd /Customers/ec2-user
New Password: (MyNewPassw0rd)

# Allow safe token, with the identical password, for the ec2-user
# outdated password is the one you simply set with dscl
~ % sysadminctl -newPassword MyNewPassw0rd -oldPassword MyNewPassw0rd
2025-03-05 13:16:57.261 sysadminctl[3993:3033024] Making an attempt to alter password for ec2-user…
2025-03-05 13:16:58.690 sysadminctl[3993:3033024] SecKeychainCopyLogin returned -25294
2025-03-05 13:16:58.690 sysadminctl[3993:3033024] Did not replace keychain password (-25294)
2025-03-05 13:16:58.690 sysadminctl[3993:3033024] - Executed

# The error concerning the KeyChain is anticipated. I by no means related with the GUI on this machine, so the Login keychain doesn't exist
# you possibly can ignore this error.  The command beneath exhibits the record of keychains energetic on this session
~ % safety record
    "/Library/Keychains/System.keychain"

# Confirm that the safe token is ENABLED
~ % sysadminctl -secureTokenStatus ec2-user
2025-03-05 13:18:12.456 sysadminctl[4017:3033614] Safe token is ENABLED for person ec2-user

Change the SIP standing
I don’t want to hook up with the machine to toggle the SIP standing. I solely must know its occasion ID. I open a terminal on my laptop computer and use the AWS Command Line Interface (AWS CLI) to retrieve the Amazon EC2 Mac occasion ID.

 aws ec2 describe-instances 
         --query "Reservations[].Situations[?InstanceType == 'mac2-m2.metal' ].InstanceId" 
         --output textual content

i-012a5de8da47bdff7

Now, nonetheless from the terminal on my laptop computer, I disable SIP with the create-mac-system-integrity-protection-modification-task command:

echo '{"rootVolumeUsername":"ec2-user","rootVolumePassword":"MyNewPassw0rd"}' > tmpCredentials
aws ec2 create-mac-system-integrity-protection-modification-task 
--instance-id "i-012a5de8da47bdff7" 
--mac-credentials fileb://./tmpCredentials 
--mac-system-integrity-protection-status "disabled" && rm tmpCredentials

{
    "macModificationTask": {
        "instanceId": "i-012a5de8da47bdff7",
        "macModificationTaskId": "macmodification-06a4bb89b394ac6d6",
        "macSystemIntegrityProtectionConfig": {},
        "startTime": "2025-03-14T14:15:06Z",
        "taskState": "pending",
        "taskType": "sip-modification"
    }
}

After the duty is began, I can verify its standing with the aws ec2 describe-mac-modification-tasks command.

{
    "macModificationTasks": [
        {
            "instanceId": "i-012a5de8da47bdff7",
            "macModificationTaskId": "macmodification-06a4bb89b394ac6d6",
            "macSystemIntegrityProtectionConfig": {
                "debuggingRestrictions": "",
                "dTraceRestrictions": "",
                "filesystemProtections": "",
                "kextSigning": "",
                "nvramProtections": "",
                "status": "disabled"
            },
            "startTime": "2025-03-14T14:15:06Z",
            "tags": [],
            "taskState": "in-progress",
            "taskType": "sip-modification"
        },
...

The occasion initiates the method and a collection of reboots, throughout which it turns into unreachable. This course of can take 60–90 minutes to finish. After that, once I see the standing within the console changing into obtainable once more, I hook up with the machine by means of SSH or EC2 Occasion Join, as common.

➜  ~ ssh [email protected]
Warning: Completely added '54.99.9.99' (ED25519) to the record of identified hosts.
Final login: Mon Feb 26 08:52:42 2024 from 1.1.1.1

    ┌───┬──┐   __|  __|_  )
    │ ╷╭╯╷ │   _|  (     /
    │  └╮  │  ___|___|___|
    │ ╰─┼╯ │  Amazon EC2
    └───┴──┘  macOS Sonoma 14.3.1

➜  ~ uname -a
Darwin Mac-mini.native 23.3.0 Darwin Kernel Model 23.3.0: Wed Dec 20 21:30:27 PST 2023; root:xnu-10002.81.5~7/RELEASE_ARM64_T8103 arm64

➜ ~ csrutil --status 
System Integrity Safety standing: disabled.

When to disable SIP
Disabling SIP ought to be approached with warning as a result of it opens up the system to potential safety dangers. Nonetheless, as I discussed within the introduction of this put up, you would possibly must disable SIP when growing system drivers or kernel extensions for macOS. Some older purposes may also not perform appropriately when SIP is enabled.

Disabling SIP can be required to show off Highlight indexing. Highlight can assist you shortly discover apps, paperwork, emails and different objects in your Mac. It’s very handy on desktop machines, however not a lot on a server. When there isn’t any must index your paperwork as they alter, turning off Highlight will launch some CPU cycles and disk I/O.

Issues to know
There are a few extra issues to learn about disabling SIP on Amazon EC2 Mac:

• Disabling SIP is obtainable by means of the API and AWS SDKs, the AWS CLI, and the AWS Administration Console.
• On Apple silicon, the setting is quantity primarily based. So in case you substitute the basis quantity, it’s essential to disable SIP once more. On Intel, the setting is Mac host primarily based, so in case you substitute the basis quantity, SIP will nonetheless be disabled.
• After disabling SIP, it will likely be enabled once more in case you cease and begin the occasion. Rebooting an occasion doesn’t change its SIP standing.
• SIP standing isn’t transferable between EBS volumes. This implies SIP can be disabled once more after you restore an occasion from an EBS snapshot or in case you create an AMI from an occasion the place SIP is enabled.

These new APIs can be found in all Areas the place Amazon EC2 Mac is obtainable, at no extra price. Strive them right this moment.

— seb

How is the Information Weblog doing? Take this 1 minute survey!

(This survey is hosted by an exterior firm. AWS handles your info as described within the AWS Privateness Discover. AWS will personal the information gathered by way of this survey and won’t share the data collected with survey respondents.)