Disabling System Integrity Protection

What is System Integrity Protection and why does it need to be disabled?

System Integrity Protection ("rootless") is a security feature of macOS first introduced in 10.13, then further locked down in 10.14.

System Integrity Protection protects some files and directories from being modified — even from the root user. yabai needs System Integrity Protection to be (partially) disabled so that it can inject a scripting addition into Dock.app, which owns the sole connection to the macOS window server. Many features of yabai require this scripting addition to be running such that yabai can modify windows, spaces and displays in a way that otherwise only Dock.app could.

The following features of yabai require System Integrity Protection to be (partially) disabled:

• focus/create/destroy space without animation
• move space (and its windows) left, right or to another display
• remove window shadows
• enable window transparency
• control window layers (make windows appear topmost)
• sticky windows (make windows appear on all spaces)
• move window by clicking anywhere in its frame
• toggle picture-in-picture for any given window
• border for focused and inactive windows

NOTE: The scripting addition does currently not support Apple Silicon (M1).

See this comment for a more in-depth explanation.

How do I disable System Integrity Protection?

1. Turn off your device

2. Intel (apple docs):
   Hold down command ⌘R while booting your device.

   Apple Silicon (apple docs):
   Press and hold the power button on your Mac until “Loading startup options” appears. Click Options, then click Continue.

3. In the menu bar, choose Utilities, then Terminal

#
# APPLE SILICON
#

# If you're on Apple Silicon macOS 12.x.x
# Requires Filesystem Protections, Debugging Restrictions and NVRAM Protection to be disabled
# (printed warning can be safely ignored)
csrutil disable --with kext --with dtrace --with basesystem

# Apple Silicon needs to allow non-Apple-signed arm64e binaries 
nvram boot-args=-arm64e_preview_abi

#
# INTEL
#

# If you're on Intel macOS 12.x.x or Intel macOS 11.0.1
# Requires Filesystem Protections and Debugging Restrictions to be disabled (workaround because --without debug does not work)
# (printed warning can be safely ignored)
csrutil disable --with kext --with dtrace --with nvram --with basesystem

# If you're on Intel macOS 10.14 and 10.15
# Requires Filesystem Protections and Debugging Restrictions to be disabled
# (printed warning can be safely ignored)
csrutil enable --without debug --without fs

# If you're on Intel macOS 10.13
# (disables SIP completely)
csrutil disable

5. Reboot
6. You can verify that System Integrity Protection is turned off by running csrutil status, which returns System Integrity Protection status: disabled. if it is turned off (it may show unknown for newer versions of macOS when disabling SIP partially).

If you are running yabai on macOS 10.13.6 (High Sierra) you can and should re–enable System Integrity Protection after the installation has completed. Repeat the steps above, but run csrutil enable instead at step 4. The same instructions apply if you ever want to re–enable System Integrity Protection after uninstalling yabai.

Please note that System Integrity Protection will be re–enabled during device repairs or analysis at any Apple Retail Store or Apple Authorized Service Provider. You will have to repeat this step after getting your device back.