diff --git a/templates/tests/test-disabled-apps.yaml b/templates/tests/test-disabled-apps.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..ebd68ced212f24945bdda406b165f020a4af54b4
--- /dev/null
+++ b/templates/tests/test-disabled-apps.yaml
@@ -0,0 +1,24 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: "{{ .Release.Name }}-disabled-apps-test"
+  labels:
+    app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+    app.kubernetes.io/instance: {{ .Release.Name | quote }}
+    helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+  annotations:
+    "helm.sh/hook": test
+    "helm.sh/hook-delete-policy": before-hook-creation
+spec:
+  restartPolicy: Never
+  serviceAccountName: {{ .Release.Name }}-setup-apps-job
+  containers:
+  - name: test-disabled-apps
+    image: docker.io/bitnami/kubectl:1.25
+    command: ["kubectl", "exec", "deploy/{{ .Release.Name }}-nextcloud", "-n", {{ .Release.Namespace }}, "-c", "nextcloud", "--", "su", "www-data", "-s", "/bin/bash", "-c"]
+    args:
+    - >
+      cd /var/www/html;
+      echo 'Allowed to be disabled: {{ .Values.tests.disabledApps.allowedDisabled | keys | join "," }}';
+      echo 'Other disabled apps (empty output is okay):';
+      php occ app:list | sed -e "0,/^Disabled:$/d" | grep -v -E -e '({{ .Values.tests.disabledApps.allowedDisabled | keys | join "|" }})'; test $? -eq 1;
diff --git a/values.yaml b/values.yaml
index 2a7020ba21fd09bdf75b1b062c2fb76356c390dc..a33bd8d46928b8679aec6a4515b98da1329d2703 100644
--- a/values.yaml
+++ b/values.yaml
@@ -231,3 +231,13 @@ tests:
     #   message:
     #   author:
     #   sha:
+  # We verify in a helm test that no apps are disabled except ones from this list.
+  disabledApps:
+    allowedDisabled:
+      admin_audit:
+      bruteforcesettings:
+      encryption:
+      files_external:
+      suspicious_login:
+      twofactor_totp:
+      user_ldap: