Symantec Data Loss Prevention (DLP) Endpoint

System Integrity Protection (SIP) is a kernel-level function that limits what the “root” account is able to do. SIP is in use and files need to be deleted from protected folders like /Library.

"Operation not permitted" is the message seen on the Mac when you try to delete SIP protected files.

Using the DLP Endpoint Agent with SIP enabled and you need to delete files inside the Library folder.

System Integrity Protection — also known as “rootless” — functions by restricting the root account. The operating system kernel itself puts checks on the root user’s access. These checks do not allow it to do certain things, such as modify protected locations or inject code into protected system processes. All kernel extensions must be signed, and you can’t disable System Integrity Protection from within Mac OS X itself. Applications with elevated root permissions can no longer tamper with system files.

You’re most likely to notice this issue if you attempt to write to one of the following directories:

• /System
• /bin
• /usr
• /sbin

OS X won’t allow modifications, and you’ll see an “Operation not permitted” message.

The full list of protected locations is found at /System/Library/Sandbox/rootless.conf on your Mac. 

The System Integrity Protection setting isn’t stored in Mac OS X itself. Instead, it’s stored in NVRAM on each individual Mac. It can only be modified from the recovery environment.

SIP blocks deletion of the files by the Endpoint Agent.

1. To boot into recovery mode, restart your Mac and hold Command+R as it boots.
2. You’ll enter the recovery environment. Click the “Utilities” menu and select “Terminal” to open a terminal window.
3. Type "csrutil status" into the Terminal window
4. If SIP is enabled, type "csrutil disable"
5. After deleting necessary files on the Macintosh, come back and go into Recovery Mode. Turn on SIP by typing "csrutil enable" into a Terminal window.