diff --git a/apps/dashboard/config/application.rb b/apps/dashboard/config/application.rb
index 8587bb56c..ae2079cac 100644
--- a/apps/dashboard/config/application.rb
+++ b/apps/dashboard/config/application.rb
@@ -46,5 +46,19 @@ class Application < Rails::Application
       config.autoload_paths << ::Configuration.config_root.join("lib").to_s
       config.paths["app/views"].unshift ::Configuration.config_root.join("views").to_s
     end
+
+    # Enable installed plugins only if configured by administrator
+    plugins_dir = Pathname.new(::Configuration.plugins_directory)
+    if plugins_dir.directory?
+      plugins_dir.children.select(&:directory?).each do |installed_plugin|
+        next unless installed_plugin.readable?
+        # Ignore plugins not installed by admins - plugin directory should be owned by root
+        next if ::Configuration.rails_env_production? && !File.stat(installed_plugin.to_s).uid.zero?
+
+        config.paths["config/initializers"] << installed_plugin.join("initializers").to_s
+        config.autoload_paths << installed_plugin.join("lib").to_s
+        config.paths["app/views"].unshift installed_plugin.join("views").to_s
+      end
+    end
   end
 end
diff --git a/apps/dashboard/config/configuration_singleton.rb b/apps/dashboard/config/configuration_singleton.rb
index 9db8aa902..23f27a404 100644
--- a/apps/dashboard/config/configuration_singleton.rb
+++ b/apps/dashboard/config/configuration_singleton.rb
@@ -74,8 +74,9 @@ def string_configs
       :rclone_extra_config            => nil,
       :default_profile                => nil,
       :project_size_timeout           => '15',
-      :novnc_default_compression   => '6',
-      :novnc_default_quality       => '2'
+      :novnc_default_compression      => '6',
+      :novnc_default_quality          => '2',
+      :plugins_directory              => '/etc/ood/config/plugins'
     }.freeze
   end
 
@@ -427,6 +428,10 @@ def connect_sources
     sources
   end
 
+  def rails_env_production?
+    rails_env == 'production'
+  end
+
   private
 
   def can_access_core_app?(name)
diff --git a/apps/dashboard/test/config/configuration_singleton_test.rb b/apps/dashboard/test/config/configuration_singleton_test.rb
index 6ec5f3d4e..7ef68fe8f 100644
--- a/apps/dashboard/test/config/configuration_singleton_test.rb
+++ b/apps/dashboard/test/config/configuration_singleton_test.rb
@@ -535,4 +535,20 @@ def no_config_env
       assert_equal(30_000, ConfigurationSingleton.new.bc_sessions_poll_delay)
     end
   end
+
+  test "rails_env_production? should return true if production environment" do
+    with_modified_env(RAILS_ENV: 'production') do
+      assert ConfigurationSingleton.new.rails_env_production?
+    end
+  end
+
+  test "rails_env_production? should return false if development or test environment" do
+    with_modified_env(RAILS_ENV: 'development') do
+      refute ConfigurationSingleton.new.rails_env_production?
+    end
+
+    with_modified_env(RAILS_ENV: 'test') do
+      refute ConfigurationSingleton.new.rails_env_production?
+    end
+  end
 end