diff --git a/webadmin/src/views/apps.html b/webadmin/src/views/apps.html
index 26ba92342..702da91c5 100644
--- a/webadmin/src/views/apps.html
+++ b/webadmin/src/views/apps.html
@@ -77,24 +77,30 @@
                             <label class="control-label">Access control</label>
                             <div class="radio">
                                 <label>
-                                    <input type="radio" ng-model="appConfigure.accessRestrictionOption" value="">
+                                    <input type="radio" ng-model="appConfigure.accessRestrictionOption" value="any">
                                     Every Cloudron user
                                 </label>
                             </div>
                             <div class="radio">
                                 <label>
-                                    <input type="radio" ng-model="appConfigure.accessRestrictionOption" value="restricted">
+                                    <input type="radio" ng-model="appConfigure.accessRestrictionOption" value="groups">
                                     Restrict to groups
                                 </label>
                             </div>
-                            <div class="has-error" ng-show="appConfigure.accessRestrictionOption !== '' && !appConfigure.isAccessRestrictionValid()">Select at least one group</div>
+                            <div class="has-error" ng-show="appConfigure.accessRestrictionOption === 'groups' && !appConfigure.isAccessRestrictionValid()">Select at least one group</div>
                             <div>
                                 <div>
                                     <span ng-repeat="group in groups | ignoreAdminGroup">
-                                        <button class="btn btn-default" type="button" ng-disabled="appConfigure.accessRestrictionOption === ''" ng-click="appConfigureToggleGroup(group);" ng-class="{ 'btn-primary': (appConfigure.accessRestriction.groups && appConfigure.accessRestriction.groups.indexOf(group.id) !== -1) }">{{ group.name }}</button>
+                                        <button class="btn btn-default" type="button" ng-disabled="appConfigure.accessRestrictionOption !== 'groups'" ng-click="appConfigureToggleGroup(group);" ng-class="{ 'btn-primary': (appConfigure.accessRestriction.groups && appConfigure.accessRestriction.groups.indexOf(group.id) !== -1) }">{{ group.name }}</button>
                                     </span>
                                 </div>
                             </div>
+                            <div class="radio" ng-show="appConfigure.needsOAuthProxy">
+                                <label>
+                                    <input type="radio" ng-model="appConfigure.accessRestrictionOption" value="unrestricted">
+                                    Unrestricted
+                                </label>
+                            </div>
                         </div>
 
                         <br/>
@@ -151,13 +157,13 @@
                             </div>
                             <input type="password" class="form-control" ng-model="appConfigure.password" id="appConfigurePasswordInput" name="password" required>
                         </div>
-                        <input class="ng-hide" type="submit" ng-disabled="appConfigureForm.$invalid || busy || (appConfigure.accessRestrictionOption !== '' && !appConfigure.isAccessRestrictionValid())"/>
+                        <input class="ng-hide" type="submit" ng-disabled="appConfigureForm.$invalid || busy || (appConfigure.accessRestrictionOption === 'groups' && !appConfigure.isAccessRestrictionValid())"/>
                     </form>
                 </fieldset>
             </div>
             <div class="modal-footer ">
                 <button type="button" class="btn btn-default" data-dismiss="modal">Cancel</button>
-                <button type="button" class="btn btn-success" ng-click="doConfigure()" ng-disabled="appConfigureForm.$invalid || appConfigure.busy || (appConfigure.accessRestrictionOption !== '' && !appConfigure.isAccessRestrictionValid()) || !appConfigure.isAltDomainValid()"><i class="fa fa-spinner fa-pulse" ng-show="appConfigure.busy"></i> Save</button>
+                <button type="button" class="btn btn-success" ng-click="doConfigure()" ng-disabled="appConfigureForm.$invalid || appConfigure.busy || (appConfigure.accessRestrictionOption === 'groups' && !appConfigure.isAccessRestrictionValid()) || !appConfigure.isAltDomainValid()"><i class="fa fa-spinner fa-pulse" ng-show="appConfigure.busy"></i> Save</button>
             </div>
         </div>
     </div>
diff --git a/webadmin/src/views/apps.js b/webadmin/src/views/apps.js
index 8fd203812..175889fac 100644
--- a/webadmin/src/views/apps.js
+++ b/webadmin/src/views/apps.js
@@ -35,9 +35,10 @@ angular.module('Application').controller('AppsController', ['$scope', '$location
         keyFile: null,
         keyFileName: '',
         memoryLimit: $scope.memoryTicks[0],
-        accessRestrictionOption: '',
+        accessRestrictionOption: 'any',
         accessRestriction: { users: [], groups: [] },
         xFrameOptions: '',
+        needsOAuthProxy: false,
 
         isAccessRestrictionValid: function () {
             var tmp = $scope.appConfigure.accessRestriction;
@@ -92,9 +93,10 @@ angular.module('Application').controller('AppsController', ['$scope', '$location
         $scope.appConfigure.keyFile = null;
         $scope.appConfigure.keyFileName = '';
         $scope.appConfigure.memoryLimit = $scope.memoryTicks[0];
-        $scope.appConfigure.accessRestrictionOption = '';
+        $scope.appConfigure.accessRestrictionOption = 'any';
         $scope.appConfigure.accessRestriction = { users: [], groups: [] };
         $scope.appConfigure.xFrameOptions = '';
+        $scope.appConfigure.needsOAuthProxy = false;
 
         $scope.appConfigureForm.$setPristine();
         $scope.appConfigureForm.$setUntouched();
@@ -180,11 +182,19 @@ angular.module('Application').controller('AppsController', ['$scope', '$location
         $scope.appConfigure.location = app.altDomain || app.location;
         $scope.appConfigure.usingAltDomain = !!app.altDomain;
         $scope.appConfigure.portBindingsInfo = app.manifest.tcpPorts || {}; // Portbinding map only for information
-        $scope.appConfigure.accessRestrictionOption = app.accessRestriction ? 'restricted' : '';
+        $scope.appConfigure.accessRestrictionOption = app.accessRestriction ? 'groups' : 'any';
         $scope.appConfigure.accessRestriction = app.accessRestriction || { users: [], groups: [] };
         $scope.appConfigure.memoryLimit = app.memoryLimit;
         $scope.appConfigure.xFrameOptions = app.xFrameOptions.indexOf('ALLOW-FROM') === 0 ? app.xFrameOptions.split(' ')[1] : '';
 
+        var manifest = app.manifest;
+        $scope.appConfigure.needsOAuthProxy = !(manifest.addons['ldap'] || manifest.addons['oauth'] || manifest.addons['simpleauth']);
+        if ($scope.appConfigure.needsOAuthProxy && !app.oauthProxy) {
+            $scope.appConfigure.accessRestrictionOption = 'unrestricted';
+        } else {
+            $scope.appConfigure.accessRestrictionOption = app.accessRestriction ? 'groups' : 'any';
+        }
+
         // fill the portBinding structures. There might be holes in the app.portBindings, which signalizes a disabled port
         for (var env in $scope.appConfigure.portBindingsInfo) {
             if (app.portBindings && app.portBindings[env]) {
@@ -218,11 +228,12 @@ angular.module('Application').controller('AppsController', ['$scope', '$location
             location:  $scope.appConfigure.usingAltDomain ? $scope.appConfigure.app.location : $scope.appConfigure.location,
             altDomain: $scope.appConfigure.usingAltDomain ? $scope.appConfigure.location : null,
             portBindings: finalPortBindings,
-            accessRestriction: !$scope.appConfigure.accessRestrictionOption ? null : $scope.appConfigure.accessRestriction,
+            accessRestriction: $scope.appConfigure.accessRestrictionOption === 'groups' ? $scope.appConfigure.accessRestriction : null,
             cert: $scope.appConfigure.certificateFile,
             key: $scope.appConfigure.keyFile,
             xFrameOptions: $scope.appConfigure.xFrameOptions ? ('ALLOW-FROM ' + $scope.appConfigure.xFrameOptions) : 'SAMEORIGIN',
-            memoryLimit: $scope.appConfigure.memoryLimit
+            memoryLimit: $scope.appConfigure.memoryLimit,
+            oauthProxy:  $scope.appConfigure.needsOAuthProxy && $scope.appConfigure.accessRestrictionOption !== 'unrestricted'
         };
 
         Client.configureApp($scope.appConfigure.app.id, $scope.appConfigure.password, data, function (error) {
diff --git a/webadmin/src/views/appstore.html b/webadmin/src/views/appstore.html
index 17bbbb84e..2ccfef6a3 100644
--- a/webadmin/src/views/appstore.html
+++ b/webadmin/src/views/appstore.html
@@ -43,25 +43,31 @@
                             <label class="control-label">Access control</label>
                             <div class="radio">
                                 <label>
-                                    <input type="radio" ng-model="appInstall.accessRestrictionOption" value="">
+                                    <input type="radio" ng-model="appInstall.accessRestrictionOption" value="any">
                                     Every Cloudron user
                                 </label>
                             </div>
                             <div class="radio">
                                 <label>
-                                    <input type="radio" ng-model="appInstall.accessRestrictionOption" value="restricted" ng-disabled="groups.length <= 1">
+                                    <input type="radio" ng-model="appInstall.accessRestrictionOption" value="groups" ng-disabled="groups.length <= 1">
                                     Restrict to groups
                                 </label>
                             </div>
                             <div ng-show="groups.length <= 1">No groups available. Create groups to restrict access to them first.</div>
-                            <div class="has-error" ng-show="appInstall.accessRestrictionOption !== '' && !appInstall.isAccessRestrictionValid()">Select at least one group</div>
+                            <div class="has-error" ng-show="appInstall.accessRestrictionOption === 'groups' && !appInstall.isAccessRestrictionValid()">Select at least one group</div>
                             <div>
                                 <div>
                                     <span ng-repeat="group in groups | ignoreAdminGroup">
-                                        <button class="btn btn-default" type="button" ng-disabled="appInstall.accessRestrictionOption === ''" ng-click="appInstall.toggleGroup(group);" ng-class="{ 'btn-primary': (appInstall.accessRestriction.groups && appInstall.accessRestriction.groups.indexOf(group.id) !== -1) }">{{ group.name }}</button>
+                                        <button class="btn btn-default" type="button" ng-disabled="appInstall.accessRestrictionOption !== 'groups'" ng-click="appInstall.toggleGroup(group);" ng-class="{ 'btn-primary': (appInstall.accessRestriction.groups && appInstall.accessRestriction.groups.indexOf(group.id) !== -1) }">{{ group.name }}</button>
                                     </span>
                                 </div>
                             </div>
+                            <div class="radio" ng-show="appInstall.needsOAuthProxy">
+                                <label>
+                                    <input type="radio" ng-model="appInstall.accessRestrictionOption" value="unrestricted">
+                                    Unrestricted
+                                </label>
+                            </div>
                         </div>
 
                         <br/>
diff --git a/webadmin/src/views/appstore.js b/webadmin/src/views/appstore.js
index 5a4e02829..8cc8a406e 100644
--- a/webadmin/src/views/appstore.js
+++ b/webadmin/src/views/appstore.js
@@ -34,9 +34,10 @@ angular.module('Application').controller('AppStoreController', ['$scope', '$loca
         certificateFileName: '',
         keyFile: null,
         keyFileName: '',
-        accessRestrictionOption: '',
+        accessRestrictionOption: 'any',
         accessRestriction: { users: [], groups: [] },
         accessRestrictionSingleUser: null,
+        needsOAuthProxy: false,
 
         isAccessRestrictionValid: function () {
             var tmp = $scope.appInstall.accessRestriction;
@@ -63,9 +64,10 @@ angular.module('Application').controller('AppStoreController', ['$scope', '$loca
             $scope.appInstall.certificateFileName = '';
             $scope.appInstall.keyFile = null;
             $scope.appInstall.keyFileName = '';
-            $scope.appInstall.accessRestrictionOption = '';
+            $scope.appInstall.accessRestrictionOption = 'any';
             $scope.appInstall.accessRestriction = { users: [], groups: [] };
             $scope.appInstall.accessRestrictionSingleUser = null;
+            $scope.appInstall.needsOAuthProxy = false;
 
             $('#collapseInstallForm').collapse('hide');
             $('#collapseResourceConstraint').collapse('hide');
@@ -104,10 +106,14 @@ angular.module('Application').controller('AppStoreController', ['$scope', '$loca
             $scope.appInstall.portBindingsInfo = $scope.appInstall.app.manifest.tcpPorts || {};   // Portbinding map only for information
             $scope.appInstall.portBindings = {};                            // This is the actual model holding the env:port pair
             $scope.appInstall.portBindingsEnabled = {};                     // This is the actual model holding the enabled/disabled flag
-            $scope.appInstall.accessRestrictionOption = app.accessRestriction ? 'restricted' : '';
+            $scope.appInstall.accessRestrictionOption = app.accessRestriction ? 'groups' : 'any';
             $scope.appInstall.accessRestriction = app.accessRestriction || { users: [], groups: [] };
             $scope.appInstall.accessRestrictionSingleUser = null;
 
+            var manifest = app.manifest;
+            $scope.appInstall.needsOAuthProxy = !(manifest.addons['ldap'] || manifest.addons['oauth'] || manifest.addons['simpleauth']);
+            $scope.appInstall.accessRestrictionOption = 'any';
+
             // set default ports
             for (var env in $scope.appInstall.app.manifest.tcpPorts) {
                 $scope.appInstall.portBindings[env] = $scope.appInstall.app.manifest.tcpPorts[env].defaultValue || 0;
@@ -134,7 +140,7 @@ angular.module('Application').controller('AppStoreController', ['$scope', '$loca
             // translate to accessRestriction object
             var accessRestriction = $scope.appInstall.app.manifest.singleUser ? {
                 users: [ $scope.appInstall.accessRestrictionSingleUser.id ]
-            } : (!$scope.appInstall.accessRestrictionOption ? null : $scope.appInstall.accessRestriction);
+            } : ($scope.appInstall.accessRestrictionOption === 'groups' ? $scope.appInstall.accessRestriction : null);
 
             var data = {
                 location: $scope.appInstall.location || '',
@@ -142,6 +148,7 @@ angular.module('Application').controller('AppStoreController', ['$scope', '$loca
                 accessRestriction: accessRestriction,
                 cert: $scope.appInstall.certificateFile,
                 key: $scope.appInstall.keyFile,
+                oauthProxy:  $scope.appInstall.needsOAuthProxy && ($scope.appInstall.app.manifest.singleUser || $scope.appInstall.accessRestrictionOption !== 'unrestricted')
             };
 
             Client.installApp($scope.appInstall.app.id, $scope.appInstall.app.manifest, $scope.appInstall.app.title, data, function (error) {