Disabled mac os SIP but still can't delete default apps
Big Sur seals the system and signs it cryptographically - deleting parts of the system is no longer as simple as politely asking SIP to stand down for a moment.
You might find it far easier to prevent these apps from launching using restrictions or screen time. The effort required to surgically remove apps is far more than it was in the past.
Here's how to check if your volume is still sealed before / after trying to tamper with it.
csrutil authenticated-root status
Here is an article that goes very deep into which portions of the system you can expect to change and which have added security protection.
- https://eclecticlight.co/2020/06/25/big-surs-signed-system-volume-added-security-protection/
In macOS Mojave 10.14, macOS boots from a single APFS volume, in which sensitive system folders and files are mixed with those which users can write to. The main protections provided to the system come from classical Unix permissions with the addition of System Integrity Protection (SIP)
Catalina 10.15 changes that by splitting the boot volume into two: the System and Data volumes, making up an APFS Volume Group. Immutable system files now reside on the System volume, which not only has complete protection by SIP, but is normally mounted read-only.
Although Big Sur uses the same protected System volume and APFS Volume Group as Catalina, it changes the way that volume is protected to make it an even greater challenge for those developing malicious software: welcome to the Signed System Volume (SSV).
There is support to make changes to the SSV:
- Boot to recovery
csrutil authenticated-root disable
- Manually mount the correct filesystem - make your changes
- Make a new snapshot and tell the system trust this non-SSV authenticated system.
sudo bless --folder /[mountpath]/System/Library/CoreServices --bootefi --create-snapshot
I don't know a good way to show you how to find your snapshot yet - so you'll need to do some digging and learning and report back if you find a "cookie cutter" process that handles things.