Apple integrates an endless series of advanced technologies that work together to make apps even more secure, safeguard data and protect the user when surfing the web. Specific protections work deep inside the Mac to keep the computer safe from malware, and technologies such as XD (Execute Disable), ASLR (Address Space Layout Randomization) and SIP (System Integrity Protection) hinder the execution of malware and ensure that processes with root permissions cannot modify critical system files. At the first launch of an app, the Gatekeeper performs checks to exclude the presence of already known malicious code, the various apps must obtain our permission before accessing the files located in the Documents, Downloads and Desktop folders, or on iCloud Drive and on the external volumes.
These and other protections have grown with the latest versions of macOS. Most users do not need to change anything but more experienced users may instead need access to certain areas of the system that are no longer accessible, for example to install old drivers, allow the execution of outdated software and so on. The French Journaldulapin reports a series of commands that you can follow to disable the most important protections on the Mac and allow the execution of unsigned applications and activities in inaccessible areas of the system. The advice is obviously to execute these commands only and only if you know what you are doing.
Disable the Gatekeeper
In the “General” section of the “Security and Privacy” item in the System Preferences of the old macOS versions it was possible to decide which applications to allow execution: from the Mac App Store, from “Mac App Store and certified developers” to start those of the store and developers identified by Apple and “Wherever” in other words the ability to open any app, regardless of its origin. This last option has disappeared in the most recent versions of macOS but the macOS Gatekeeper can be set to always allow the execution of unsigned apps, using a command via the Terminal command line, run as administrator:
sudo spctl –master-disable
After executing this command, the password of the administrator user will be requested which we must enter to enable the change. At this point, just close and reopen the System Preferences to see the “Everywhere” option reappear in the “Allow apps downloaded from” section in “Security and Privacy”.
Technically, the spctl command (SecAssessment system policy security) modifies the behavior of the subsystem that deals with managing and taking into account rules for installation, execution and other operations on files that interact with the system.
Obviously the Terminal command to restore preferences as default is:
sudo spctl –master-enable
Our advice is to leave the option on “App Store and identified developers” thus protecting the Mac from malware by allowing only apps that come from App Store and developers recognized and certified by Apple.
Disable SIP
SIP stands for System Integrity Protection. Apple explains that System Integrity Protection is a security technology designed to prevent potentially dangerous software from modifying protected folders and files on the Mac. System Integrity Protection restricts the root user account and the actions that root user can run on the protected parts of the Mac operating system.
Prior to the system integrity protection, the root user had no permissions restrictions and could therefore access any system folder or app on the Mac. The software gained root level access when the user entered name and administrator password to install the software. This allowed the software to modify or overwrite any system file or app.
System Integrity Protection is designed to allow changes to parts of the system that are protected only by Apple-signed processes that have special write rights to system files, such as software updates and Apple installers.
It is possible to deactivate the System Integrity Protection with a command from Terminal (to be invoked after starting the Mac from the recovering partition):
csrutil disable
By disabling SIP, it is no longer possible to run iPhone and Mac apps on Macs with macOS Big Sur with M1 chip.
When we first open an app downloaded from the web, Gatekeeper on the Mac checks it for the presence of known malicious code. If you have a problem with an app, Apple can prevent it from being installed again and even block it from starting.
Disable SKEL
To improve the security of the operating system, from macOS High Sierra 10.13 Apple has provided a feature called, Secure kernel Extension Loading (SKEL). The feature requires end-user consent to load any third-party kernel extensions installed after installing macOS High Sierra and following. Due to SKEL, it is not allowed to upload unsigned extensions without the consent of the end user. If for some reason you need to disable the Secure Kernel Extension mechanism, the command is as follows:
spctl kext-consent disable
Disable the library access validation mechanism
It is a recent protection mechanism. Apple prevents the loading of unsigned libraries. If for some reason you need to allow the upload, the command to type in the Terminal is the following:
sudo defaults write /Library/Preferences/com.apple.security.libraryvalidation.plist DisableLibraryValidation -bool true
Disable AMFI
Apple Mobile File Integrity (AMFI) is a process that takes care of verifying the integrity of data and applications. To disable this authorization mechanism, you must once again go to the Terminal started from the macOS recovering partition. The command is as follows:
vram boot-args = “amfi_get_out_of_my_way = 0x1”
Disable SVV
With macOS Big Sur, Apple has prepared the operating system in a read-only partition. The whole system is signed and cannot be changed. If for some reason you need to make changes you can disable the Signed System Volume (SSV). To do this, once again you need to boot the system from the recovering partition and type this command:
csrutil authenticated-root disable
This command disables volume encryption, “mounts” the system volume and makes the change. To make the volume bootable ( here the technical details) a “sanitation” is required with a command such as:
sudo bless –folder / [mountpath] / System / Library / CoreServices –bootefi –create-snapshot
We reiterate once again that it is good NOT to change the standard system behavior. macOS is safe from the ground up and you don’t need to change anything if the software you use is up to date. Before starting to make changes that could reduce the security of the system, contact the developers of the software / driver to be used to find out if an updated version is available, compatible with the security mechanisms of the latest versions of macOS. At this address our article with details on the various intrinsic protection mechanisms of macOS.
