diff --git a/src/apps.js b/src/apps.js
index 4533a11a3..60b7671cb 100644
--- a/src/apps.js
+++ b/src/apps.js
@@ -401,11 +401,12 @@ function configure(appId, location, portBindings, accessRestriction, oauthProxy,
     });
 }
 
-function update(appId, force, manifest, portBindings, icon, callback) {
+function update(appId, force, manifest, portBindings, accessRestriction, icon, callback) {
     assert.strictEqual(typeof appId, 'string');
     assert.strictEqual(typeof force, 'boolean');
     assert(manifest && typeof manifest === 'object');
     assert(!portBindings || typeof portBindings === 'object');
+    assert(accessRestriction === null || typeof accessRestriction === 'string');
     assert(!icon || typeof icon === 'string');
     assert.strictEqual(typeof callback, 'function');
 
@@ -420,6 +421,11 @@ function update(appId, force, manifest, portBindings, icon, callback) {
     error = validatePortBindings(portBindings, manifest.tcpPorts);
     if (error) return callback(new AppsError(AppsError.BAD_FIELD, error.message));
 
+    if (accessRestriction !== null) {
+        error = validateAccessRestriction(accessRestriction);
+        if (error) return callback(new AppsError(AppsError.BAD_FIELD, error.message));
+    }
+
     if (icon) {
         if (!validator.isBase64(icon)) return callback(new AppsError(AppsError.BAD_FIELD, 'icon is not base64'));
 
@@ -435,9 +441,12 @@ function update(appId, force, manifest, portBindings, icon, callback) {
         var values = {
             manifest: manifest,
             portBindings: portBindings,
+            accessRestriction: accessRestriction === null ? app.accessRestriction : accessRestriction,
             oldConfig: {
                 manifest: app.manifest,
-                portBindings: app.portBindings
+                portBindings: app.portBindings,
+                accessRestriction: app.accessRestriction,
+                oauthProxy: app.oauthProxy
             }
         };
 
diff --git a/src/routes/apps.js b/src/routes/apps.js
index cc5f84d10..41ab76e69 100644
--- a/src/routes/apps.js
+++ b/src/routes/apps.js
@@ -253,12 +253,13 @@ function updateApp(req, res, next) {
     if (!data) return next(new HttpError(400, 'Cannot parse data field'));
     if (!data.manifest || typeof data.manifest !== 'object') return next(new HttpError(400, 'manifest is required'));
     if (('portBindings' in data) && typeof data.portBindings !== 'object') return next(new HttpError(400, 'portBindings must be an object'));
+    if (data.accessRestriction !== null && typeof data.accessRestriction !== 'string') return next(new HttpError(400, 'accessRestriction is required'));
     if ('icon' in data && typeof data.icon !== 'string') return next(new HttpError(400, 'icon is not a string'));
     if ('force' in data && typeof data.force !== 'boolean') return next(new HttpError(400, 'force must be a boolean'));
 
-    debug('Update app id:%s to manifest:%j', req.params.id, data.manifest);
+    debug('Update app id:%s to manifest:%j with portBindings:%j accessRestriction:%s', req.params.id, data.manifest, data.portBindings, data.accessRestriction);
 
-    apps.update(req.params.id, data.force || false, data.manifest, data.portBindings, data.icon, function (error) {
+    apps.update(req.params.id, data.force || false, data.manifest, data.portBindings, data.accessRestriction, data.icon, function (error) {
         if (error && error.reason === AppsError.NOT_FOUND) return next(new HttpError(404, 'No such app'));
         if (error && error.reason === AppsError.BAD_FIELD) return next(new HttpError(400, error.message));
         if (error && error.reason === AppsError.BAD_STATE) return next(new HttpError(409, error.message));