It doesn’t eliminate the possibility of malware or folks finding a way to subvert this mode, but it does increase the difficulty of finding a hole to penetrate. All such changes discourage those who hack for profit or destruction, because the more time it takes and the less likely successful, the more often they turn to other operating systems and targets.
However, a few system-modifying and system-extending software programs can’t work properly under SIP, as I discussed back in July in covering this feature and a simple workaround available in the public betas. The golden master (final release candidate) and shipping version of El Capitan have a minor change that make it harder, but not impossible, to turn SIP off.
Early reports of problems with rootless mode seemed to indicate that a wider set of software might be unable to work with the restriction enabled, such as SuperDuper! from Shirt Pocket Software. However, Apple made changes during beta testing that resolved concerns with that app and others. (Shirt Pocket had to update SuperDuper! to deal with the omission of an open-source program, which breaks scheduled updates; those have to be re-created in the El Capitan-compatible release.)
At the moment, only a few widely used utilities won’t work with SIP enabled:
Rogue Amoeba has opted to discontinue Intermission, which it says wasn’t one of its big sellers, as it is incompatible with SIP, and incorporated its functionality into Audio Hijack.
There were previously concerns about a few utilities that have been resolved:
Disabling rootless mode in El Capitan beta required just selecting a menu item after booting into the Recovery disk. Now, it’s slightly more involved with El Capitan.
Warning: The point of SIP is to prevent malware and other unwanted modifications into system files. Consider whether or not you want to dispense with this protection.
For the following to work, you must have a proper and up to date Recovery partition on your boot drive. While that should be a given, it’s possible to clone a startup volume without Recovery installed.
Follow these steps to disable SIP:
You can re-enable SIP by following the above steps, but using csrutil enable instead.