Ensuring SIP is enabled

It has been reported that some of the new MacBook Pros (Late 2016) have been shipping with System Integrity Protection (SIP) disabled. Apple has addressed this with the 10.12.2 update release. You can read about SIP on Rich Trouton’s blog.

There is one obvious question that comes to mind, do you trust the computers have not been compromised in shipping, especially with SIP disabled? Perhaps SIP doesn’t play as much into this question if your organization works off the assumption that you cannot trust any bits that come on the drive on new computers and they must all be wiped. After all, if someone intercepts a computer during shipping, it would be just as easy for them to disable and re-enable SIP as needed.

One thing to note here is that if you wipe and image new computers, that alone won’t re-enable SIP as that information is stored in memory. If you don’t wipe and image and instead rely on something like DEP or another no-imaging workflow, you still need to report on SIP’s status and somehow take action against computers that have it disabled to re-enable SIP.

Two ways of re-enabling SIP that come to mind: 1) boot into the Recovery Partition and re-enable SIP and 2) reset the NVRAM. The first you cannot really automate much short of asking all  techs to reset PRAM on every computer coming in. The second can be done manually or via the command line. Our interest will be in doing this via the command line in order to automate this.

Once again, Rich Trouton also wrote some scripts / extension attributes that can be used to report on a computer’s SIP status. There is one condition that his extension attribute does not address and I will get to that at the end of this blog. I filed a pull request and hopefully he will accept it. I am working off the assumption that you are using my forked version of his extension attribute.

Extension attributes are a Casper/Jamf Pro specific feature that allow you to run scripts on a client when it collects inventory information. To add an extension attribute to your Jamf Pro environment:

  1. Log into your JSS.
  2. Click on the Settings gear in the top right corner.
  3. Click on the Computer Management link on the left side menu.
  4. Click on the Extension Attributes button.
  5. Click on the New button on the top of the page.
  6. Here you will fill out the Display Name (e.g. SIP Status) and a Description that’s helpful for other admins to know what the extension attribute does. You will want to pick Data Type: String and Input Type: Script. Make sure the OS X tab is select and from there you can now copy your extension attribute script. The Inventory Display determines where in the computer’s inventory section in the JSS the value will be shown. That’ll be a personal preference, but I tend to put most of my extension attributes in the Extension Attributes section.

Now that we know how to add an extension attribute, let’s go ahead and take the extension attribute written by Rich Trouton and add it your JSS. Please note that this extension attribute will be collected for each computer the next time they run an inventory update.

The next step is to create a smart group.

  1. Log into your JSS.
  2. Click on the Computers tab.
  3. Click on the Smart Group link on the left side menu.
  4. Click on the New button on the top of the page.
  5. Give your smart group a Display Name such as “SIP Is Not Active“.
  6. Click on the Criteria tab.
  7. Click on the Add button.
  8. Click on the Show Advanced Criteria button which will expand the list of all criteria you can use for a smart group.
  9. Search for the extension attribute Display Name (e.g. SIP Status) which you picked earlier in step 6 when creating the extension attribute and then click Choose.
  10. For the Operator choose “Is Not” and Value should be “Active”.
  11. Repeat steps 6-10 again. In the And/Or column, select “AND”. And for the Operator choose “Is Not” and Value should be “Set To Enable After Restart”. EDIT: I incorrectly stated to you should use “OR“, but it should be “AND” in the And/Or column.
  12. Click Save.

This smart group will tell us all the computers that do not have SIP enabled as active. Keep in mind, there may be some legitimate reasons that SIP is not fully enabled and instead has certain features disabled. If that’s the case you will want to review your criteria to properly deal with those computers and perhaps exclude them.

The next step is to create a Policy. A policy allows us to take a series of actions on a device.

  1. Log into your JSS.
  2. Click on the Computers tab.
  3. Click on the Policies link on the left side menu.
  4. Click on the New button on the top of the page.
  5. In the General payload:
    1. Check the box Enabled.
    2. pick a Display Name (e.g. Re-enable SIP).
    3. Trigger: Recurring check-in
    4. Execution Frequency: Ongoing
  6. Click on the Maintenance payload on the left side and click configure. Make sure to  check Update Inventory.
  7. Click on the Files and Processes payload on the left side and click configure. In the Execute Command field enter: /usr/bin/csrutil clear
  8. Click Scope tab.
  9. Set Target Computers to Specific Computers.
  10. Click on the Add button.
  11. Click on the Computer Groups and search for the smart group we created earlier (e.g. SIP Is Not Active) and click Choose.
  12. Click Save.

To expand a little on step 7. The command /usr/bin/csrutil clear will allow you reset SIP. This is a brand new option in macOS 10.12.2 and documented by Erik Gomez at his blog.

In order for SIP to be re-enabled, the computer does need to be restarted. How you wish to address that I will leave up to you.

If you used Rich Trouton’s extension attribute because it does not account for this particular condition in his script, the SIP status will not report as enabled until the computer has been properly restarted. My pull request looks at the state where /usr/bin/csrutil status command will still report “Disabled” but there is no NVRAM entry for csr-active-config.  That would indicate that SIP will be enabled upon restart which is important because you definitely don’t want to continually run a policy that won’t actually do anything. When the extension attribute is run during an inventory update it would properly report “Set To Enable After Restart”.

Advertisements

One thought on “Ensuring SIP is enabled

  1. Interesting commentary regarding potential compromise to the supply chain. Thanks for bringing this point of view to the Mac Admins community.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s