Enable System Integrity Protection mac Instances in AWS

AWS Programmatically Manages EC2 Mac Instances' macOS System Integrity Protection

A key improvement from Amazon Web Services allows developers utilising Amazon EC2 Mac instances to programmatically manage Apple's System Integrity Protection (SIP). This new feature eliminates physical access and recovery mode reboots to modify SIP status, simplifying development and testing.

Allow mac system integrity protection

In 2015, Apple added rootless System Integrity Protection to OS X El Capitan 10.11. SIP is enabled by default on macOS to reduce root user account protection against dangerous apps. It secures the system by restricting access to system-owned files and directories, preventing unauthorised software from choosing a starting disc, and blocking changes to protected files and folders.

SIP quickly solved the security issue of unconstrained root access, which might allow malware to take control of a device with a single password or weakness. Apple added SIP to macOS to improve security, especially since many users use administrator accounts with weak or no passwords.

SIP provides effective malware protection for daily use, but developers may need to temporarily disable it for development and testing. Disabling SIP allows installing and testing new device driver or system extension code. SIP may also block system configurations needed by some apps.

When SIP is temporarily disabled, macOS development program optimisation permissions are given. Warning: This temporarily disables the vault door for approved maintenance, not permanently leaving it open. Disabling Spotlight indexing, driver development, and outdated software compatibility require offsetting SIP. To conserve CPU and disc I/O, Spotlight can be turned off when indexing is not needed. Spotlight is beneficial on desktops but not on servers for fast item searching.

macOS shut down system integrity

Before, SIP could only be disabled by entering the Mac. Restarting in recovery mode, disabling SIP with csrutil, then restarting were the steps. SIP management integration with the EC2 API and Amazon EC2 control plane was problematic due to physical access and recovery mode booting. Before this revelation, developers used EC2 Mac instances with default SIP settings.

This is fixed by the new AWS API. Developers can now dynamically enable and disable SIP on Amazon EC2 Mac instances. The process begins with CreateMacSystemIntegrityProtectionModificationTask, a new EC2 API. This asynchronous API request changes the instance's SIP status. Developers can track task progress with another new EC2 API, DescribeMacModificationTasks. These tasks only require the target EC2 Mac instance ID.

Preconditions must be met before using the new API on contemporary machines and Apple silicon-based EC2 Mac instances. Developers must login to the instance, specify the password, and enable a secure token for the ec2-user user account on macOS to setup it. Set the password with sudo /usr/bin/dscl. -passwd /Users/ec2-user then enable the secure token with sysadminctl -new.Password [password] and -oldPassword [password] must be run in the instance terminal. If the GUI has never been used, a Keychain error may appear, but the command activates the secure token. To verify, run sysadminctl -secureTokenStatus ec2-user.

If the prerequisites are met (on applicable instances) and the instance ID is known, the AWS CLI or other supported methods can toggle the SIP status. The create-mac-system-integrity-protection-modification-task command specifies the instance ID, preferred SIP state (such as “disabled”), root volume username (ec2-user), and credentials file password.

The API returns the modification task's initial status (typically “pending”) and task ID after completion. By showing statuses like “in-progress” and SIP configuration details, the describe-mac-modification-tasks command can be used to track task progress.

The API initiated a reboot process that makes the instance inaccessible. A whole surgery can take 60–90 minutes. After the operation is complete and the instance status is back in the AWS console, developers can access to the computer via SSH or EC2 Instance access. Run csrutil –status to verify the instance's new SIP status.

SIP on Amazon EC2 Mac instances requires careful thought.

The AWS Management Console, CLI, API, and SDKs can disable SIP.

Apple silicon has volume-based SIP. If the root volume changes, SIP must be disabled again. Intel instance SIP status is unaffected by root volume replacement because the configuration is Mac host-based.

Stop and restart the instance to enable and disable SIP. Instance SIP status is unaffected by reboot.

SIP status cannot be transferred between EBS volumes. If you construct an Amazon Machine Image (AMI) from an instance with SIP enabled or restore an instance from an EBS snapshot, SIP will be switched off again.

Availability

These new APIs are available in all AWS regions with Amazon EC2 Mac instances. AWS says these new SIP setup options are free.

This new functionality streamlines workflows that previously needed manual intervention and significant downtime, giving EC2 Mac clients additional build and development flexibility and control.

Tắt Gatekeeper và System Integrity Protection (SIP) trên Mac Hướng dẫn tắt Gatekeeper (Bật tùy chọn Anywhere) và tắt System Integrity Protection (SIP) trên Mac (có M1) đơn giản bằng hình ảnh dễ hiểu #FAQ #Gatekeeper #MacOSMacMacbook #SystemIntegrityProtection #Terminal