Disabled mac os SIP but still can't delete default apps

terminal applications sip big-sur

Big Sur seals the system and signs it cryptographically - deleting parts of the system is no longer as simple as politely asking SIP to stand down for a moment.

You might find it far easier to prevent these apps from launching using restrictions or screen time. The effort required to surgically remove apps is far more than it was in the past.

Here's how to check if your volume is still sealed before / after trying to tamper with it.

csrutil authenticated-root status

Here is an article that goes very deep into which portions of the system you can expect to change and which have added security protection.

  • https://eclecticlight.co/2020/06/25/big-surs-signed-system-volume-added-security-protection/

In macOS Mojave 10.14, macOS boots from a single APFS volume, in which sensitive system folders and files are mixed with those which users can write to. The main protections provided to the system come from classical Unix permissions with the addition of System Integrity Protection (SIP)

Catalina 10.15 changes that by splitting the boot volume into two: the System and Data volumes, making up an APFS Volume Group. Immutable system files now reside on the System volume, which not only has complete protection by SIP, but is normally mounted read-only.

Although Big Sur uses the same protected System volume and APFS Volume Group as Catalina, it changes the way that volume is protected to make it an even greater challenge for those developing malicious software: welcome to the Signed System Volume (SSV).

There is support to make changes to the SSV:

  1. Boot to recovery
  2. csrutil authenticated-root disable
  3. Manually mount the correct filesystem - make your changes
  4. Make a new snapshot and tell the system trust this non-SSV authenticated system. sudo bless --folder /[mountpath]/System/Library/CoreServices --bootefi --create-snapshot

I don't know a good way to show you how to find your snapshot yet - so you'll need to do some digging and learning and report back if you find a "cookie cutter" process that handles things.

Related

How do you remove Safari 6 on Mac OS X 10.7.4
"No administrator was found" in Startup Security Utility
Can I change some but not all Apple keyboard function keys (dim vs F1, bright vs F2)?
Is installing Mavericks on Hackintosh legal? [closed]
Many OS X app store apps are listed as "app" is damaged and can't be opened
How to set default Window position and/or size?
How to Change File Type Associations?
MacBook Air boots to strange screen showing Magic Mouse and TrackPad
How can I opt out of updates for one app when using the App Store?
Enable click-through, preferrably for all applications
Remove macOS from a APFS container?
How to delete kexts in Catalina?