diff --git a/api/chisel/service_test.go b/api/chisel/service_test.go
index 2e4919073..918c7bf1e 100644
--- a/api/chisel/service_test.go
+++ b/api/chisel/service_test.go
@@ -15,9 +15,10 @@ import (
 
 func TestPingAgentPanic(t *testing.T) {
 	endpoint := &portainer.Endpoint{
-		ID:     1,
-		EdgeID: "test-edge-id",
-		Type:   portainer.EdgeAgentOnDockerEnvironment,
+		ID:          1,
+		EdgeID:      "test-edge-id",
+		Type:        portainer.EdgeAgentOnDockerEnvironment,
+		UserTrusted: true,
 	}
 
 	_, store := datastore.MustNewTestStore(t, true, true)
diff --git a/api/chisel/tunnel.go b/api/chisel/tunnel.go
index c8374a3e3..5533978a8 100644
--- a/api/chisel/tunnel.go
+++ b/api/chisel/tunnel.go
@@ -40,7 +40,7 @@ func (s *Service) Open(endpoint *portainer.Endpoint) error {
 		return ErrAsyncEnv
 	}
 
-	if endpoint.ID == 0 || endpoint.EdgeID == "" {
+	if endpoint.ID == 0 || endpoint.EdgeID == "" || !endpoint.UserTrusted {
 		return ErrInvalidEnv
 	}
 
diff --git a/api/internal/snapshot/snapshot.go b/api/internal/snapshot/snapshot.go
index beb54cc8f..1d648d199 100644
--- a/api/internal/snapshot/snapshot.go
+++ b/api/internal/snapshot/snapshot.go
@@ -64,7 +64,7 @@ func NewBackgroundSnapshotter(dataStore dataservices.DataStore, tunnelService po
 		}
 
 		for _, e := range endpoints {
-			if !endpointutils.IsEdgeEndpoint(&e) || e.Edge.AsyncMode {
+			if !endpointutils.IsEdgeEndpoint(&e) || e.Edge.AsyncMode || !e.UserTrusted {
 				continue
 			}