With the release of macOS Sierra 10.12.2, Apple has made one welcome change to System Integrity Protection (SIP): you can now re-enable the feature without being booted into the Recovery partition!

How To

To re-enable SIP, you run the following command:

/usr/bin/csrutil clear

Please note that you will need to run this as root. To see if the command was successful, run nvram -p and look for csr-active-config. If the key does not exist, then SIP has been re-enabled.

Example:

csrutil status
System Integrity Protection status: disabled.

nvram -p
csr-active-config   w%00%00%00

sudo csrutil clear
Password:
Successfully cleared System Integrity Protection. Please restart the machine for the changes to take effect.

csrutil status
System Integrity Protection status: disabled.

nvram -p

Enhancement

I have asked for an enhancement to mimic the behavior of fdesetup status

Hopefully Apple can have csrutil status show something like this:

System Integrity Protection is Off, but will be enabled after the next restart.

Table Of Contents