diff --git a/setup/so-functions b/setup/so-functions
index 5b4914941..b1ebb1aa1 100755
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -435,6 +435,13 @@ collect_hostname_validate() {
 	done
 }
 
+collect_idh_preferences() {
+	IDHMGTRESTRICT='False'
+	whiptail_idh_preferences
+
+	if [[ "$idh_preferences" != "" ]]; then IDHMGTRESTRICT='True'; fi
+}
+
 collect_idh_services() {
 	whiptail_idh_services
 
@@ -2867,6 +2874,7 @@ write_out_idh_services() {
 
 	printf '%s\n'\
 	"idh:"\
+	"  restrict_management_ip: $IDHMGTRESTRICT"\
 	"  services:" >> "$pillar_file"
 	for service in ${idh_services[@]}; do
 	  echo "    - $service" | tr '[:upper:]' '[:lower:]' >> "$pillar_file"
diff --git a/setup/so-setup b/setup/so-setup
index deca4b0d6..1cb1bdc4e 100755
--- a/setup/so-setup
+++ b/setup/so-setup
@@ -276,10 +276,6 @@ if [[ $is_manager || $is_import ]]; then
 	check_elastic_license
 fi
 
-if [[ $is_idh ]]; then
-	collect_idh_services
-fi
-
 if ! [[ -f $install_opt_file ]]; then
 	if [[ $is_manager && $is_sensor ]]; then
 		check_requirements "standalone"
@@ -327,6 +323,11 @@ if ! [[ -f $install_opt_file ]]; then
 		copy_ssh_key >> $setup_log 2>&1
 	fi
 
+	if [[ $is_idh ]]; then
+	  collect_idh_services
+	  collect_idh_preferences
+    fi
+
 	# Check if this is an airgap install
 	if [[ ( $is_manager || $is_import) && $is_iso ]]; then
 		whiptail_airgap
diff --git a/setup/so-whiptail b/setup/so-whiptail
index c39ec4ff7..72013b0ac 100755
--- a/setup/so-whiptail
+++ b/setup/so-whiptail
@@ -725,6 +725,17 @@ whiptail_homenet_sensor() {
 	export HNSENSOR
 }
 
+ whiptail_idh_preferences() {
+
+	[ -n "$TESTING" ] && return
+
+	idh_preferences=$(whiptail --title "$whiptail_title" --radiolist \
+		"\nBy default, the IDH services selected in the previous screen will be bound to all interfaces / IPs on this system.\n\nYou can choose below whether or not to prevent IDH services from being published on this system's management IP." 20 75 5 \
+		"$MAINIP" "Disable IDH services on this management IP " OFF 3>&1 1>&2 2>&3 )
+
+	local exitstatus=$?
+	whiptail_check_exitstatus $exitstatus
+}
 
 whiptail_idh_services() {