System Integrity Protection
Question:
Will disabling SIP be available as a choices .XML at install time for the 10.11 OS? If not, what mechanism will be provided for automatic disabling of SIP for use with automated imaging processes for machines?
Pain point: Not every environment will be able to access Internet Recovery. At the same time, straight cloning of existing disks is problematic.
Answer:
SIP is always off in the Recovery environment and the Installer environment. While booted from those environments, you will be able to make changes to a boot disk which is otherwise protected by SIP.
SIP-protected files will still appear as "restricted" when listed with ls's -O, but they can be renamed, moved, deleted or changed.
There will be a command line tool to disable SIP in the Recovery environment, separate from the current GUI tool. The GUI tool is in fact going to disappear in favor of the command line tool. This change will likely appear in Developer Beta 2 or Beta 3; check the release notes.
Question:
The /System/Library/CoreServices/DefaultDesktop.jpg symlink is locked by System Integrity Protection (SIP) and cannot be modified. Being able to change this file will allow an admin to change the default picture for the machine. Can this be fixed? I've filed a bug on this, bug ID: 21327831
Answer:
That's a bug. Thanks for making us aware of this, as /System/Library/CoreServices/DefaultDesktop.jpg shouldn't be included in SIP's protection. This will likely be fixed in Developer Beta 2.
Question:
There is a nvram boot-args command available in Developer Beta 1 which can disable SIP when run with root privileges:
nvram boot-args="rootless=0"
Will this option of disabling SIP also be available in the El Capitan release version? Or is this strictly for the Developer Builds?
Answer:
This nvram boot-args command will be going away. It will not be available in the El Capitan release version and may disappear before the end of the Developer Betas. Keep an eye on the release notes for future Developer Betas.
Question:
With regards to bless --netboot going away, what happens if you use ARD and choose the "Startup Disk" task to remotely netboot a machine?
Answer:
That's a really good question! We haven't tested that, please test and file a bug if it doesn't work.