diff --git a/manifests/init.pp b/manifests/init.pp
index ea82199..9469e3c 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -63,6 +63,9 @@
   $ssl_server_private   = undef,
   $ssl_client_certs     = 'puppet:///modules/mcollective/empty',
   $ssl_client_certs_dir = undef, # default dependent on $confdir
+
+  # Action policy settings
+  $allowunconfigured    = '1',
 ) inherits mcollective::defaults {
 
   # Because the correct default value for several parameters is based on another
diff --git a/manifests/server/config/rpcauthprovider/action_policy.pp b/manifests/server/config/rpcauthprovider/action_policy.pp
index ffe4f75..8915fb4 100644
--- a/manifests/server/config/rpcauthprovider/action_policy.pp
+++ b/manifests/server/config/rpcauthprovider/action_policy.pp
@@ -15,6 +15,6 @@
   }
 
   mcollective::server::setting { 'plugin.actionpolicy.allow_unconfigured':
-    value => 1,
+    value => $mcollective::allowunconfigured,
   }
 }
diff --git a/spec/classes/mcollective_spec.rb b/spec/classes/mcollective_spec.rb
index 321f340..5b70ea1 100644
--- a/spec/classes/mcollective_spec.rb
+++ b/spec/classes/mcollective_spec.rb
@@ -392,6 +392,11 @@
         let(:params) { { :server => true, :rpcauthprovider => 'action_policy' } }
         it { should contain_mcollective__server__setting('plugin.actionpolicy.allow_unconfigured').with_value('1') }
       end
+
+      context 'allow_unconfigured' do
+        let(:params) { { :server => true, :rpcauthprovider => 'action_policy', :allowunconfigured => '0' }}
+        it { should contain_mcollective__server__setting('plugin.actionpolicy.allow_unconfigured').with_value('0') }
+      end
     end
 
     describe '#rpcauditprovider' do