5

I'm using mac os 11.2.1 Big Sur. My question concerns using the Terminal utility to delete Apple default apps protected by SIP. I have disabled System Integrity Protection and confirmed that it is off by typing:

csrutil

Terminal duly returns "disabled" to confirm that SIP is definitely off. I then attempted to delete various Apple default apps, as follows:

sudo rm -rf FaceTime.app/

sudo rm -rf TV.app/


sudo rm -rf Mail.app/

But nothing seems to happen. The apps are still in my Applications folder and launch normally. If I try to delete them manually, I get a beep and the deletion is rejected just as if SIP were still enabled.

Can someone suggest a better way to remove Mail?

Monomeeth
  • 64,558
Kim
  • 53
  • 1
    I believe even with SIP disable, the volume containing these apps is mounted read-only. You can find these apps in the /System/Applications directory. The mount command should show / as mounted read-only. – David Anderson Feb 22 '21 at 00:44
  • 1
    The unspoken question is :Why do you want to remove these apps? Do you want to stop them launching, in favour of other apps, or something else? You'd save a grand total of 128 Mb of disk space, so hardly worth it on that account. – benwiggy Feb 22 '21 at 10:53
  • 1
    IMO, this should not have been closed, as the linked question is much less specific. – Wowfunhappy Feb 28 '21 at 23:43
  • I’m going to reverse the close since I agree with you @Wowfunhappy we can sort this out on [meta] if anyone disagrees or has a better solution. I also wonder is a good answer would be to set the hidden directory attributes of these apps rather than deleting them? – bmike Mar 21 '21 at 21:28
  • 1
    @bmike Hidden directory attribute is clever, but then the apps would still show up in the Open With menu and similar locations throughout the OS. If there’s a way to e.g. fully exclude them from LaunchServices, that’s something I’d be interested to know about... – Wowfunhappy Mar 22 '21 at 05:07
  • We set default apps with tools at work so that outlook opens all mail. Maybe a new question asking how to workaround the launch services as a practical question would help @Wowfunhappy – bmike Jun 22 '22 at 11:06

1 Answers1

4

Big Sur seals the system and signs it cryptographically - deleting parts of the system is no longer as simple as politely asking SIP to stand down for a moment.

You might find it far easier to prevent these apps from launching using restrictions or screen time. The effort required to surgically remove apps is far more than it was in the past.

Here's how to check if your volume is still sealed before / after trying to tamper with it.

csrutil authenticated-root status

Here is an article that goes very deep into which portions of the system you can expect to change and which have added security protection.

In macOS Mojave 10.14, macOS boots from a single APFS volume, in which sensitive system folders and files are mixed with those which users can write to. The main protections provided to the system come from classical Unix permissions with the addition of System Integrity Protection (SIP)

Catalina 10.15 changes that by splitting the boot volume into two: the System and Data volumes, making up an APFS Volume Group. Immutable system files now reside on the System volume, which not only has complete protection by SIP, but is normally mounted read-only.

Although Big Sur uses the same protected System volume and APFS Volume Group as Catalina, it changes the way that volume is protected to make it an even greater challenge for those developing malicious software: welcome to the Signed System Volume (SSV).

There is support to make changes to the SSV:

  1. Boot to recovery
  2. csrutil authenticated-root disable
  3. Manually mount the correct filesystem - make your changes
  4. Make a new snapshot and tell the system trust this non-SSV authenticated system. sudo bless --folder /[mountpath]/System/Library/CoreServices --bootefi --create-snapshot

I don't know a good way to show you how to find your snapshot yet - so you'll need to do some digging and learning and report back if you find a "cookie cutter" process that handles things.

bmike
  • 235,889