Disabling SIP Using Netboot?

ChrisTech
Contributor

I'm trying to disable SIP just to enable writing to the Accessibility database. I was using tccutil.py previously but as we all know SIP has made this difficult. I ran across a PDF file. The author modifies his netboot image with the command to disable SIP. Has anyone tried this yet? Here's a link to the article:

Link

I noticed that there was a Boot.sh file when I created my Sierra net boot image with AutoCasperNBI that is loaded with a LaunchDaemon in /Library/LaunchDaemons. I wonder if I edit Boot.sh if it will have the same effect. Just wondering if anyone has tried it before I give it a try tomorrow.

I just want to disable SIP temporarily to allow access to that database and turn it back on when I am done.

2 REPLIES 2

jmahlman
Valued Contributor

Instead of disabling SIP to install something (which is not good practice) you can just add the packages with your settings into a Configuration and make sure you don't check the "Erase Target drive" box. Then just boot your systems to imaging and run the configuration (or have the autorun data set).

Not sure if this will work for you, but it worked for my issue with Apple Logic receipts.

ChrisTech
Contributor

I ended up just creating a LaunchDaemon and a script. Seems to do the job.

#!/bin/sh
#Inserts code into TCC.db inside ~/Application Support/com.apple.TCC/TCC.db for OSAScript Accessibility 
#Get Logged In User
loggedInUser=`/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }'`
checkTCCdone()  {
        if [ -e /Users/$LoggedInUser/Library/Preferences/TCCdone.txt ] ; then
    echo "TCC.db has been modified."
        exit 0
        fi
}

configureTCCset() {
/usr/bin/sqlite3 /Users/$loggedInUser/Library/Application Support/com.apple.TCC/TCC.db "INSERT or REPLACE INTO access VALUES('kTCCServiceAccessibility','/usr/bin/osascript',1,1,1,NULL,NULL)"
/usr/bin/touch /Users/$loggedInUser/Library/Preferences/TCCdone.txt
}

checkTCCdone
configureTCCset

exit 0