Winclone and System Integrity Protection (SIP)

You are here:

Note: if using Winclone 7 or later, visit the updated article

Apple has implemented a new security feature, System Integrity Protection (SIP), starting with OS X 10.11. SIP prevents anyone from altering the contents of files in key System folders and is designed to protect System files from malware and viruses. SIP also affects third-party apps like Winclone that need to write to files now under protection of SIP. If you are getting an message that the boot sector cannot be updated, or that SIP needs to be disabled, this article may help.

Disabling SIP is a quick and easy process that can be easily re-enabled again after restoring the Winclone image.

Note: Saving/creating a Winclone image does not require disabling SIP.

How to Disable SIP

Disabling SIP requires booting into the recovery partition to run the Terminal command below.

To boot into the Recovery partition, hold Command (⌘)-R while restarting the Mac.

From the Utilities Menu, select Terminal. On the Terminal command line, enter:

csrutil disable

which will confirm the change with status message:

Successfully disabled System Integrity Protection. Please restart the machine for the changes to take effect.

Reboot back into the El Capitan system partition.

To re-enable SIP, boot back into the recovery partition, open Terminal from the Utilities menu and set state to enabled:

csrutil enable

Note: As of MacOS Sierra 10.12.2, it is possible to re-enable SIP from the Mac system rather than reboot into the Recovery HD. To re-enable SIP, run this command as root in Terminal:

/usr/bin/csrutil clear

Entering your system password and hit enter and the output should be: 

Successfully cleared System Integrity Protection. Please restart the machine for the changes to take effect.

What if the “csrutil” command is not found? 

If the “csrutil disable” command fails when booted into the Recovery HD, there are two possible reasons: either there is no local Recovery HD and the Mac is booted from Internet Recovery or there is a local Recovery HD but it has not been updated to OS X 10.11 El Capitan.

First, confirm that there is a local Recovery HD on your Mac’s internal drive. Open Applications-> Utilities-> Terminal and enter:

diskutil list

You’ll be looking for the Recovery HD in the third partition, with ID disk0s3. If you don’t find Recovery HD in the list of partitions, the Recovery HD can be created using tools and instructions linked below.

After creating the Recovery HD, you will need to run the OS X 10.11 El Capitan update again, even if the Mac has already been updated with the latest OS X 10.11 El Capitan version. From the App Store select the Purchased tab and download the OS X 10.11 El Capitan update and run the update. Next, boot into the Recovery HD and the csrutil command should successfully disable SIP.

Additional Resources – Open Source project that creates a package to create and update the Recovery HD – Carbon Copy Cloner can create the Recovery HD

For additional help, please contact