Create an extension attribute to report SIP status

Learn how you can use Jamf Pro to detect and report on System Integrity Protection (SIP) status.

December 13 2016 by

William Smith

When Apple started delivering its newest MacBook Pro models (late 2016), some devices shipped with the System Integrity Protection (SIP) security feature disabled. SIP prevents unauthorized access to critical macOS areas such as the System folder and invisible folders such as /usr, /bin and /sbin. It’s an important safeguard against malicious software.

Unlike most other security features, SIP requires physical access to a device to modify its settings. Therefore, Jamf Pro can’t automatically enable this feature. However, it can assist administrators with detecting and reporting whether SIP is disabled using an extension attribute.

Get current status

SIP is only available on Macs running OS X 10.11 El Capitan or macOS 10.12 Sierra. The Terminal command for verifying whether SIP is enabled is:

 /usr/bin/csrutil status

It will return either:

 System Integrity Protection status: enabled.

or

 System Integrity Protection status: disabled.


Running this command on an operating system version lower than El Capitan will return an error. To avoid the error and simply return nothing, add “2>/dev/null” to the end of the command:

 /usr/bin/csrutil status 2>/dev/null


The “2” is a status code meaning “error”. Any time the command generates an error, the output will get redirected to the “/dev/null” file, which is effectively oblivion and ignored. Successful results returning either an “enabled” or “disabled” status are sent to the Terminal window for viewing.

To make the result of the command a little more useable later in the script, assign it to a variable named “status”:

 status=$( /usr/bin/csrutil status 2>/dev/null )


Evaluate and report the status

The “status” variable will return three possible results:

  1. "System Integrity Protection status: enabled."
  2. "System Integrity Protection status: disabled."
  3. an empty result due to an error

A straightforward method to evaluate the result is to use a “case” statement:

 case "$status" in

# SIP is enabled
"System Integrity Protection status: enabled.")
/bin/echo "Enabled";;

 # SIP is disabled
"System Integrity Protection status: disabled.")
/bin/echo "Disabled";;

 # SIP is not supported
"")
/bin/echo "Not Supported";;

 esac


This statement takes the value of the “status” variable and compares it to the three possible outcomes. When the extension attribute finds a match, it reports the result to the Jamf Software Server (JSS).

To use the script, log in to the JSS, navigate to JSS Settings > Computer Management > Extension Attributes and add the contents of the full script to a new extension attribute with these settings and save:

  • Display Name: SIP Status
  • Description: Report whether System Integrity Protection is Enabled or Disabled.
  • Data Type: String
  • Inventory Display: Operating System
  • Input Type: Script

JSS Reporting

For ongoing automatic reporting, create a new Smart Computer Group named “SIP Status: Disabled” under Computers and enable the group to send email notifications. Under the Criteria tab, click the Add button and add the name of the “SIP Status” extension attribute. Set its value to “Disabled” and click the Save button.

Optionally, enable the new Smart Computer Group to show in the JSS dashboard.

As devices take inventory and run the extension attribute, the operating system section of each computer record will display the status. The JSS will only email notifications when it detects a Mac with SIP disabled. Follow Apple’s instructions for re-enabling it.

View the complete script on the Jamf Professional Services GitHub page.

Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.

Tags: