There is a new tool to manage SIP, available in both the Recovery environment and in OS X:
`/usr/bin/csrutil`
Running `/usr/bin/csrutil` by itself prints out a listing of currently available commands:
computername:~ username$ /usr/bin/csrutil usage: csrutil <command> Modify the System Integrity Protection configuration. All configuration changes apply to the entire machine. Available commands: clear Clear the existing configuration. Only available in Recovery OS. disable Disable the protection on the machine. Only available in Recovery OS. enable Enable the protection on the machine. Only available in Recovery OS. status Display the current configuration. netboot add <address> Insert a new IPv4 address in the list of allowed NetBoot sources. list Print the list of allowed NetBoot sources. remove <address> Remove an IPv4 address from the list of allowed NetBoot sources. computername:~ username$
`/usr/bin/csrutil disable` - Turns SIP off of the boot drive. Must be run from Recovery with a reboot to take effect.
If run while SIP already disabled, command does nothing.
When disabled, running `/usr/bin/csrutil status` on the boot drive will give the following output:
computename:~ username$ csrutil status System Integrity Protection status: enabled (Custom Configuration). Configuration: Apple Internal: disabled Kext Signing: disabled Filesystem Protections: disabled Debugging Restrictions: disabled DTrace Restrictions: disabled NVRAM Protections: disabled This is an unsupported configuration, likely to break in the future and leave your machine in an unknown state.
Bug filed about this output - openradar dot appspot dot com slash 22361698
`/usr/bin/csrutil enable` - Turns SIP on for the boot drive. Must be run from Recovery with a reboot to take effect. If run while SIP already enabled, command does nothing.
When enabled, running `/usr/bin/csrutil status` on the boot drive will give the following output:
computername:~ username$ csrutil status System Integrity Protection status: enabled. computername:~ username$
Note: If you run `/usr/bin/csrutil enable` followed by `/usr/bin/csrutil disable` (or vice-versa) only the first command is actually run.
`/usr/bin/csrutil netboot add` - Adds an IPv4 address to the list of allowed NetBoot sources. Must be run from Recovery.
`/usr/bin/csrutil netboot list` - Prints the list of allowed NetBoot sources. Can be run from either Recovery or the boot drive.
`/usr/bin/csrutil netboot add` - Removes an IPv4 address from the list of allowed NetBoot sources. Must be run from Recovery.
`/usr/bin/csrutil clear` - Resets SIP status and clears NetBoot list. After reboot, SIP is enabled if it was not previously. Running `csrutil netboot list` shows that no NetBoot IPs are listed.