AWS Enables Programmatic Management of EC2 Mac Instances’ macOS System Integrity Protection
Developers using Amazon EC2 Mac instances may now programmatically manage Apple’s System Integrity Protection (SIP) with a major update released by Amazon Web Services (AWS). This new feature streamlines development and testing processes by doing away with the need for physical access and recovery mode reboots in order to change SIP status.
Enable system integrity protection mac
Apple added rootless System Integrity Protection to OS X El Capitan (10.11), launched in 2015. On macOS, SIP is enabled by default to limit the root user account’s power to protect against hazardous software. Its main purpose is to secure the system by limiting access to system-owned files and directories, preventing unauthorized software from choosing a starting disc, and prohibiting alterations to protected files and folders.
With the advent of SIP, the security problem of unfettered root access, which might enable malware to take complete control of a device using a single password or vulnerability, was immediately addressed. Apple wanted to give macOS users a higher level of security by introducing SIP, especially since many users utilize administrative accounts, which occasionally have weak or no passwords.
For normal daily use, SIP offers strong protection against malware, but for some development and testing needs, developers may need to temporarily disable it. For instance, to install and test code for a new device driver or system extension, SIP must be disabled. SIP may also prevent access to specific system configurations that are necessary for some software to run correctly.
When SIP is temporarily disabled, the required permissions are granted to optimize programs for macOS development. However, warn that this should not be interpreted as leaving the vault door open permanently, but rather as temporarily disabling it for permitted repair. Offsetting SIP is necessary to disable Spotlight indexing in addition to driver development and compatibility with some older programs. When indexing is not required, Spotlight can be turned off to free up CPU cycles and disc I/O. Spotlight is useful for rapidly locating items on desktop computers, but it is less useful on servers.
macOS disable system integrity protection
Before, you had to physically enter the Mac in order to disable SIP. Restarting the computer in recovery mode, disabling SIP with the csrutil command-line program, and then restarting the computer were the steps involved. The requirement for physical access and the requirement to boot in recovery mode made it more difficult to integrate SIP management with the EC2 API and Amazon EC2 control plane. Prior to this revelation, developers had to use EC2 Mac instances with the default SIP settings.
This issue is resolved with the new AWS API. Now, developers may dynamically turn off and on SIP on their Amazon EC2 Mac instances as they see fit. CreateMacSystemIntegrityProtectionModificationTask, a new EC2 API, is called to start the process. Because this API request is asynchronous, it initiates the process of altering the instance’s SIP status. DescribeMacModificationTasks is another new EC2 API that developers can use to track the task’s progress. The instance ID of the target EC2 Mac instance is all that is required to carry out these tasks.
There is a precondition step before utilising the new API on more modern machine types and Apple silicon-based EC2 Mac instances. In order to configure the ec2-user user account, developers need to establish a connection to the instance, set the password, and enable a secure token for that user on macOS. Setting the password with sudo /usr/bin/dscl. -passwd /Users/ec2-user and enabling the secure token with sysadminctl -newPassword [password] -oldPassword [password] are the two commands that must be run in the instance’s terminal. If the GUI has never been used, an expected error about the Keychain might show up, but this should be disregarded because the command properly activates the secure token. You can use sysadminctl -secureTokenStatus ec2-user to verify.
The SIP status can be toggled via the AWS Command Line Interface (AWS CLI) or other supported ways if the requirements are satisfied (on applicable instances) and the instance ID is known. Using the create-mac-system-integrity-protection-modification-task command, the instance ID, the preferred SIP status (such as “disabled”), the root volume username (ec2-user), and the password that was previously set via a credentials file are all specified.
The API provides information about the created modification task, including its initial status (usually “pending”) and a unique task ID, upon successful completion. By displaying statuses such as “in-progress” and providing specifics about the SIP configuration being used, the describe-mac-modification-tasks command can subsequently be used to review the task’s progress.
Through a succession of reboots, the instance becomes unreachable as part of the process that the API started. It can take anything from sixty to ninety minutes to complete the entire operation. As usual, developers can use SSH or EC2 Instance Connect to connect to the machine once the process is finished and the instance status is once again visible in the AWS console. The instance’s new SIP status can be verified by running the csrutil –status command.
When it comes to handling SIP on Amazon EC2 Mac instances, there are a number of crucial considerations.
- The AWS Management Console, AWS CLI, and API and AWS SDKs all offer the ability to disable SIP.
- The SIP setting on Apple silicon is volume-based. This implies that SIP will need to be disabled once again if the root volume is changed. Replacing the root volume has no effect on the SIP status on Intel instances because the configuration is Mac host-based.
- SIP can be disabled and then enabled again by stopping and restarting the instance. An instance’s SIP status is unaffected by a reboot.
- It is not possible to transfer SIP status between EBS volumes. This implies that SIP will be turned off once more if you generate an Amazon Machine Image (AMI) from an instance where SIP was enabled or if you restore an instance from an EBS snapshot.
Availability
All AWS regions where Amazon EC2 Mac instances are accessible now support these new APIs. According to AWS, there is no extra charge to use these new SIP setup features.
Workflows that previously required manual intervention and prolonged downtime are streamlined by this new functionality, which gives EC2 Mac customers more flexibility and control over their build and development environments.
Thank you for your Interest in Cloud Computing. Please Reply