diff --git a/build-images.sh b/build-images.sh
index 6125e403..7c3db21d 100644
--- a/build-images.sh
+++ b/build-images.sh
@@ -63,6 +63,12 @@ pecbridge_tmp_dir=$(mktemp -d)
 cleanup_list+=("${pecbridge_tmp_dir}")
 tar -C "${pecbridge_tmp_dir}" -x -v -z -f pecbridge-*.tar.gz
 
+# Download tmce plugin jar: plugin is encrypted with GPG, the password is 'subscription'
+tmce_jar_url="https://distfeed.nethserver.org/webtop/webtop-tmceplugins-6.3.1.0.jar.gpg"
+tmce_jar_path="${PWD}/webtop-tmceplugins-6.3.1.0.jar.gpg"
+echo "Downloading encrypted tmce plugin jar from ${tmce_jar_url}..."
+curl --fail -L -o "${tmce_jar_path}" "${tmce_jar_url}"
+
 #Create webtop-webapp container
 reponame="webtop-webapp"
 container=$(buildah from docker.io/library/tomcat:8-jre8)
@@ -75,6 +81,7 @@ buildah add ${container} ${PWD}/zfaker/wrappers/php /usr/share/webtop/bin/php
 buildah add ${container} ${PWD}/zfaker/wrappers/z-push-admin-wapper /usr/share/webtop/bin/z-push-admin-wrapper
 buildah add ${container} ${pecbridge_tmp_dir}/pecbridge /usr/share/pecbridge
 buildah add ${container} ${PWD}/webapp/ /
+buildah add ${container} "${tmce_jar_path}" /usr/local/tomcat/webapps/webtop/WEB-INF/lib/webtop-tmceplugins.jar.gpg
 # Commit the image
 buildah commit --rm "${container}" "${repobase}/${reponame}"
 
@@ -164,7 +171,7 @@ buildah run --env="NODE_OPTIONS=--openssl-legacy-provider" nodebuilder-webtop sh
 buildah add "${container}" imageroot /imageroot
 buildah add "${container}" ui/dist /ui
 # Setup the entrypoint, ask to reserve one TCP port with the label and set a rootless container
-buildah config --entrypoint=/ \
+buildah config --entrypoint=/entrypoint.sh \
     --label="org.nethserver.authorizations=traefik@node:routeadm mail@any:mailadm cluster:accountconsumer" \
     --label="org.nethserver.tcp-ports-demand=1" \
     --label="org.nethserver.rootfull=0" \
diff --git a/webapp/entrypoint.sh b/webapp/entrypoint.sh
new file mode 100644
index 00000000..5b12dfdc
--- /dev/null
+++ b/webapp/entrypoint.sh
@@ -0,0 +1,14 @@
+#!/bin/sh
+
+#
+# Copyright (C) 2025 Nethesis S.r.l.
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+
+# Enable tmce plugin only if subscription is enabled
+
+# Decrypt tmce plugins jar if subscription is enabled
+if [ "VALID_SUBSCRIPTION=true" ]; then
+    gpg --batch --yes --passphrase 'subscription' -d -o /usr/local/tomcat/webapps/webtop/WEB-INF/lib/webtop-tmceplugins.jar  \
+        /usr/local/tomcat/webapps/webtop/WEB-INF/lib/webtop-tmceplugins.jar.gpg
+fi
\ No newline at end of file