Begining with OS X 10.11 El Capitan, a set of security mechanism, System Integrity Protection(SIP), has been enforced and it can only be configured or turned off in the recovery environment like Recovery HD. In the normal environment, SIP configuration will not be permitted even with root privilege. If so, the SIP would be useless since it can be easily turned off.
As many people may already noticed, the configuration of SIP status is stored in
the NVRAM with a property called csr-active-config
. Of course users wouldn’t be