diff --git a/.env_agent b/.env_agent
index 5c84ba591..a2f9be2a6 100644
--- a/.env_agent
+++ b/.env_agent
@@ -1,6 +1,6 @@
 # ZBX_SOURCEIP=
 # ZBX_DEBUGLEVEL=3
-# ZBX_ENABLEREMOTECOMMANDS=0
+# ZBX_ENABLEREMOTECOMMANDS=0 # Deprecated since 5.0.0
 # ZBX_LOGREMOTECOMMANDS=0
 # ZBX_HOSTINTERFACE= # Available since 4.4.0
 # ZBX_HOSTINTERFACEITEM= # Available since 4.4.0
@@ -33,3 +33,5 @@
 # ZBX_TLSKEYFILE=
 # ZBX_TLSPSKIDENTITY=
 # ZBX_TLSPSKFILE=
+# ZBX_DENYKEY=system.run[*]
+# ZBX_ALLOWKEY=
diff --git a/agent/alpine/README.md b/agent/alpine/README.md
index 336a73d60..b80622c12 100644
--- a/agent/alpine/README.md
+++ b/agent/alpine/README.md
@@ -137,7 +137,7 @@ Additionally the image allows to specify many other environment variables listed
 
 ```
 ZBX_SOURCEIP=
-ZBX_ENABLEREMOTECOMMANDS=0
+ZBX_ENABLEREMOTECOMMANDS=0 # Deprecated since 5.0.0
 ZBX_LOGREMOTECOMMANDS=0
 ZBX_HOSTINTERFACE= # Available since 4.4.0
 ZBX_HOSTINTERFACEITEM= # Available since 4.4.0
@@ -161,6 +161,8 @@ ZBX_TLSCERTFILE=
 ZBX_TLSKEYFILE=
 ZBX_TLSPSKIDENTITY=
 ZBX_TLSPSKFILE=
+ZBX_DENYKEY=system.run[*] # Available since 5.0.0
+ZBX_ALLOWKEY= # Available since 5.0.0
 ```
 
 Default values of these variables are specified after equal sign.
diff --git a/agent/alpine/docker-entrypoint.sh b/agent/alpine/docker-entrypoint.sh
index 2c215dc81..6f9b0bf77 100755
--- a/agent/alpine/docker-entrypoint.sh
+++ b/agent/alpine/docker-entrypoint.sh
@@ -86,9 +86,12 @@ update_config_var() {
     elif [ "$(grep -Ec "^# $var_name=" $config_path)" -gt 1 ]; then
         sed -i -e  "/^[#;] $var_name=$/i\\$var_name=$var_value" "$config_path"
         echo "added first occurrence"
-    else
+    elif [ "$(grep -Ec "^[#;] $var_name=" $config_path)" -gt 0 ]; then
         sed -i -e "/^[#;] $var_name=/s/.*/&\n$var_name=$var_value/" "$config_path"
         echo "added"
+    else
+        sed -i -e '$a\' -e "$var_name=$var_value" "$config_path"
+        echo "added at the end"
     fi
 
 }
@@ -130,7 +133,6 @@ prepare_zbx_agent_config() {
     update_config_var $ZBX_AGENT_CONFIG "LogFileSize"
     update_config_var $ZBX_AGENT_CONFIG "DebugLevel" "${ZBX_DEBUGLEVEL}"
     update_config_var $ZBX_AGENT_CONFIG "SourceIP"
-    update_config_var $ZBX_AGENT_CONFIG "EnableRemoteCommands" "${ZBX_ENABLEREMOTECOMMANDS}"
     update_config_var $ZBX_AGENT_CONFIG "LogRemoteCommands" "${ZBX_LOGREMOTECOMMANDS}"
 
     : ${ZBX_PASSIVE_ALLOW:="true"}
@@ -182,6 +184,9 @@ prepare_zbx_agent_config() {
     update_config_var $ZBX_AGENT_CONFIG "TLSPSKIdentity" "${ZBX_TLSPSKIDENTITY}"
     update_config_var $ZBX_AGENT_CONFIG "TLSPSKFile" "${ZBX_TLSPSKFILE}"
 
+    update_config_multiple_var $ZBX_AGENT_CONFIG "DenyKey" "${ZBX_DENYKEY}"
+    update_config_multiple_var $ZBX_AGENT_CONFIG "AllowKey" "${ZBX_ALLOWKEY}"
+
     if [ "$(id -u)" != '0' ]; then
         update_config_var $ZBX_AGENT_CONFIG "User" "$(whoami)"
     else
diff --git a/agent/centos/README.md b/agent/centos/README.md
index 336a73d60..b80622c12 100644
--- a/agent/centos/README.md
+++ b/agent/centos/README.md
@@ -137,7 +137,7 @@ Additionally the image allows to specify many other environment variables listed
 
 ```
 ZBX_SOURCEIP=
-ZBX_ENABLEREMOTECOMMANDS=0
+ZBX_ENABLEREMOTECOMMANDS=0 # Deprecated since 5.0.0
 ZBX_LOGREMOTECOMMANDS=0
 ZBX_HOSTINTERFACE= # Available since 4.4.0
 ZBX_HOSTINTERFACEITEM= # Available since 4.4.0
@@ -161,6 +161,8 @@ ZBX_TLSCERTFILE=
 ZBX_TLSKEYFILE=
 ZBX_TLSPSKIDENTITY=
 ZBX_TLSPSKFILE=
+ZBX_DENYKEY=system.run[*] # Available since 5.0.0
+ZBX_ALLOWKEY= # Available since 5.0.0
 ```
 
 Default values of these variables are specified after equal sign.
diff --git a/agent/centos/docker-entrypoint.sh b/agent/centos/docker-entrypoint.sh
index 2c215dc81..6f9b0bf77 100755
--- a/agent/centos/docker-entrypoint.sh
+++ b/agent/centos/docker-entrypoint.sh
@@ -86,9 +86,12 @@ update_config_var() {
     elif [ "$(grep -Ec "^# $var_name=" $config_path)" -gt 1 ]; then
         sed -i -e  "/^[#;] $var_name=$/i\\$var_name=$var_value" "$config_path"
         echo "added first occurrence"
-    else
+    elif [ "$(grep -Ec "^[#;] $var_name=" $config_path)" -gt 0 ]; then
         sed -i -e "/^[#;] $var_name=/s/.*/&\n$var_name=$var_value/" "$config_path"
         echo "added"
+    else
+        sed -i -e '$a\' -e "$var_name=$var_value" "$config_path"
+        echo "added at the end"
     fi
 
 }
@@ -130,7 +133,6 @@ prepare_zbx_agent_config() {
     update_config_var $ZBX_AGENT_CONFIG "LogFileSize"
     update_config_var $ZBX_AGENT_CONFIG "DebugLevel" "${ZBX_DEBUGLEVEL}"
     update_config_var $ZBX_AGENT_CONFIG "SourceIP"
-    update_config_var $ZBX_AGENT_CONFIG "EnableRemoteCommands" "${ZBX_ENABLEREMOTECOMMANDS}"
     update_config_var $ZBX_AGENT_CONFIG "LogRemoteCommands" "${ZBX_LOGREMOTECOMMANDS}"
 
     : ${ZBX_PASSIVE_ALLOW:="true"}
@@ -182,6 +184,9 @@ prepare_zbx_agent_config() {
     update_config_var $ZBX_AGENT_CONFIG "TLSPSKIdentity" "${ZBX_TLSPSKIDENTITY}"
     update_config_var $ZBX_AGENT_CONFIG "TLSPSKFile" "${ZBX_TLSPSKFILE}"
 
+    update_config_multiple_var $ZBX_AGENT_CONFIG "DenyKey" "${ZBX_DENYKEY}"
+    update_config_multiple_var $ZBX_AGENT_CONFIG "AllowKey" "${ZBX_ALLOWKEY}"
+
     if [ "$(id -u)" != '0' ]; then
         update_config_var $ZBX_AGENT_CONFIG "User" "$(whoami)"
     else
diff --git a/agent/ubuntu/README.md b/agent/ubuntu/README.md
index 336a73d60..b80622c12 100644
--- a/agent/ubuntu/README.md
+++ b/agent/ubuntu/README.md
@@ -137,7 +137,7 @@ Additionally the image allows to specify many other environment variables listed
 
 ```
 ZBX_SOURCEIP=
-ZBX_ENABLEREMOTECOMMANDS=0
+ZBX_ENABLEREMOTECOMMANDS=0 # Deprecated since 5.0.0
 ZBX_LOGREMOTECOMMANDS=0
 ZBX_HOSTINTERFACE= # Available since 4.4.0
 ZBX_HOSTINTERFACEITEM= # Available since 4.4.0
@@ -161,6 +161,8 @@ ZBX_TLSCERTFILE=
 ZBX_TLSKEYFILE=
 ZBX_TLSPSKIDENTITY=
 ZBX_TLSPSKFILE=
+ZBX_DENYKEY=system.run[*] # Available since 5.0.0
+ZBX_ALLOWKEY= # Available since 5.0.0
 ```
 
 Default values of these variables are specified after equal sign.
diff --git a/agent/ubuntu/docker-entrypoint.sh b/agent/ubuntu/docker-entrypoint.sh
index 2c215dc81..6f9b0bf77 100755
--- a/agent/ubuntu/docker-entrypoint.sh
+++ b/agent/ubuntu/docker-entrypoint.sh
@@ -86,9 +86,12 @@ update_config_var() {
     elif [ "$(grep -Ec "^# $var_name=" $config_path)" -gt 1 ]; then
         sed -i -e  "/^[#;] $var_name=$/i\\$var_name=$var_value" "$config_path"
         echo "added first occurrence"
-    else
+    elif [ "$(grep -Ec "^[#;] $var_name=" $config_path)" -gt 0 ]; then
         sed -i -e "/^[#;] $var_name=/s/.*/&\n$var_name=$var_value/" "$config_path"
         echo "added"
+    else
+        sed -i -e '$a\' -e "$var_name=$var_value" "$config_path"
+        echo "added at the end"
     fi
 
 }
@@ -130,7 +133,6 @@ prepare_zbx_agent_config() {
     update_config_var $ZBX_AGENT_CONFIG "LogFileSize"
     update_config_var $ZBX_AGENT_CONFIG "DebugLevel" "${ZBX_DEBUGLEVEL}"
     update_config_var $ZBX_AGENT_CONFIG "SourceIP"
-    update_config_var $ZBX_AGENT_CONFIG "EnableRemoteCommands" "${ZBX_ENABLEREMOTECOMMANDS}"
     update_config_var $ZBX_AGENT_CONFIG "LogRemoteCommands" "${ZBX_LOGREMOTECOMMANDS}"
 
     : ${ZBX_PASSIVE_ALLOW:="true"}
@@ -182,6 +184,9 @@ prepare_zbx_agent_config() {
     update_config_var $ZBX_AGENT_CONFIG "TLSPSKIdentity" "${ZBX_TLSPSKIDENTITY}"
     update_config_var $ZBX_AGENT_CONFIG "TLSPSKFile" "${ZBX_TLSPSKFILE}"
 
+    update_config_multiple_var $ZBX_AGENT_CONFIG "DenyKey" "${ZBX_DENYKEY}"
+    update_config_multiple_var $ZBX_AGENT_CONFIG "AllowKey" "${ZBX_ALLOWKEY}"
+
     if [ "$(id -u)" != '0' ]; then
         update_config_var $ZBX_AGENT_CONFIG "User" "$(whoami)"
     else