diff --git a/nextcloud-onlyoffice/README.md b/nextcloud-onlyoffice/README.md
index d40e1e40356fe714bf89536458286f2a65491681..eedafcb4c07cf5f3ed8ff89a478dfbc733509dd9 100644
--- a/nextcloud-onlyoffice/README.md
+++ b/nextcloud-onlyoffice/README.md
@@ -7,6 +7,24 @@ its document editor. Depends on the
 chart](https://open.greenhost.net/openappstack/nextcloud/tree/master/onlyoffice-documentserver).
 For configuration details on those charts, refer to their documentation.
 
+## Apps
+
+The Nextcloud app store allows admin users to install applications, many of
+which have not undergone security testing. For that reason we disabled
+downloading new apps via the app store. As the person installing Nextcloud it is
+possible to specify which applications from the app store are available for
+installation. It is also possible to enable them by default. Apps that are not
+enabled by default can be enabled through the Apps screen in Nextcloud.
+
+To install apps, edit the values.yaml file:
+
+```yaml
+apps:
+  - name: sociallogin  # Installs sociallogin app
+    enabled: false     # Disables sociallogin by default
+```
+
+
 ## Installation
 
 Make sure you have a `onlyoffice-documentserver` helm repo before running helm
diff --git a/nextcloud-onlyoffice/templates/job-register-onlyoffice.yaml b/nextcloud-onlyoffice/templates/job-setup-apps.yaml
similarity index 89%
rename from nextcloud-onlyoffice/templates/job-register-onlyoffice.yaml
rename to nextcloud-onlyoffice/templates/job-setup-apps.yaml
index 0f51b16a4b340cef647a2c1ece8aae0e5d2dcd44..7ac4441072c0cac574e4d854f1d1324dfed32411 100644
--- a/nextcloud-onlyoffice/templates/job-register-onlyoffice.yaml
+++ b/nextcloud-onlyoffice/templates/job-setup-apps.yaml
@@ -3,7 +3,7 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: "{{ .Release.Name }}-register-onlyoffice"
+  name: "{{ .Release.Name }}-setup-apps"
   labels:
     app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
     app.kubernetes.io/instance: {{ .Release.Name | quote }}
@@ -24,11 +24,11 @@ spec:
       restartPolicy: Never
       securityContext: {{- include "nextcloud-onlyoffice.securityContext" . | indent 8 }}
       containers:
-      - name: {{ .Release.Name }}-register-onlyoffice-job
+      - name: {{ .Release.Name }}-setup-apps-job
         image: {{ .Values.nextcloud.image.repository }}:{{ .Values.nextcloud.image.tag }}
         command:
           - "/bin/bash"
-          - "/var/local/onlyoffice-setup.sh"
+          - "/var/local/setup-apps.sh"
         volumeMounts: {{- include "nextcloud-onlyoffice.volumeMounts" . | indent 8 }}
         env: {{- include "nextcloud-onlyoffice.env" . | indent 8 }}
       volumes: {{- include "nextcloud-onlyoffice.volumes" . | indent 6 }}
diff --git a/nextcloud-onlyoffice/templates/onlyoffice-config.yaml b/nextcloud-onlyoffice/templates/onlyoffice-config.yaml
index 6e6c6ff9888009baa78c74c4fe61d07cc0fb7395..41660996b886ca1b9486774c84d9bd4a3309dbb9 100644
--- a/nextcloud-onlyoffice/templates/onlyoffice-config.yaml
+++ b/nextcloud-onlyoffice/templates/onlyoffice-config.yaml
@@ -26,18 +26,23 @@ data:
         }
       }
     }
-  onlyoffice-setup.sh: |
+  setup-apps.sh: |
     #!/bin/bash
 
     set -ev
     # Debug: place the json file in a persistent location for reuse
     cp /var/local/onlyoffice-config.json /var/www/html/
-    # Only install onlyoffice if it's not installed already
-    if ! php occ app:list | grep -q onlyoffice; then
-        php occ app:install onlyoffice
+    {{- range .Values.apps }}
+    # -- Begin {{ .name }}
+    # Only install {{ .name }} if it's not installed already
+    if ! php occ app:list | grep -q {{ .name }}; then
+        php occ app:install {{ .name }} --keep-disabled --no-interaction
     fi
-    # Enable onlyoffice app
-    php occ app:enable onlyoffice
+    {{- if .enabled }}
+    # Enable {{ .name }} app
+    php occ app:enable {{ .name }}
+    {{ end }} # -- end {{ .name }}
+    {{ end }} # end range {{ .Values.apps }}
 
     # Config settings from the configmap above
     php occ config:import /var/local/onlyoffice-config.json
@@ -58,7 +63,8 @@ data:
     {
         "system":{
             "trusted_proxies": "10.43.0.0/16",
-            "overwriteprotocol": "https"
+            "overwriteprotocol": "https",
+            "appstoreenabled": false
         },
         "apps":{
             "core":{
diff --git a/nextcloud-onlyoffice/values.yaml b/nextcloud-onlyoffice/values.yaml
index 65b540604459fe090b44a7b883a3fbba2411c19b..17ac94fe2de31a3ced46b7ef67a17bba1dbbc0a5 100644
--- a/nextcloud-onlyoffice/values.yaml
+++ b/nextcloud-onlyoffice/values.yaml
@@ -17,6 +17,15 @@ nextcloud:
   cronjob:
     enabled: true
 
+apps:
+  # OIDC consumer
+  - name: sociallogin
+    enabled: false
+  # List of applications that are installed *and enabled*
+  - name: onlyoffice
+    enabled: true
+
+
 # Necessary so the chart gets installed (because the requirements.yaml has a
 # condition: `condition: mariadb.enabled`). Follow
 # https://github.com/helm/helm/issues/5135 for more info.