diff --git a/.gitignore b/.gitignore
index bf962c8abe..f793204262 100644
--- a/.gitignore
+++ b/.gitignore
@@ -81,7 +81,6 @@ test-*.trs
 /data/org.freedesktop.NetworkManager.service
 /data/server.conf
 /data/org.freedesktop.NetworkManager.policy
-/data/org.freedesktop.NetworkManager.policy.in
 /data/nm-sudo.service
 /data/nm-priv-helper.service
 /data/NetworkManager-config-initrd.service
diff --git a/NEWS b/NEWS
index f9f1832be4..c93798c62b 100644
--- a/NEWS
+++ b/NEWS
@@ -14,6 +14,10 @@ USE AT YOUR OWN RISK.  NOT RECOMMENDED FOR PRODUCTION USE!
 * Install the systemd units in the initramfs using a systemd generator.
 * A new "check-connectivity" configuration option is available to disable the
   connectivity check for selected interfaces.
+* Remove the modify_system build option that allowed setting up the
+  polkit permissions to allow non-admin users to create system-wide
+  connection. That configuration is discouraged because it can be used
+  to bypass filesystem permissions.
 
 =============================================
 NetworkManager-1.56
diff --git a/contrib/fedora/rpm/NetworkManager.spec b/contrib/fedora/rpm/NetworkManager.spec
index 820cfda607..bfcc1089ae 100644
--- a/contrib/fedora/rpm/NetworkManager.spec
+++ b/contrib/fedora/rpm/NetworkManager.spec
@@ -665,7 +665,6 @@ Preferably use nmcli instead.
 	-Dselinux=true \
 	-Dpolkit=true  \
 	-Dconfig_auth_polkit_default=true \
-	-Dmodify_system=true \
 	-Dconcheck=true \
 %if 0%{?fedora}
 	-Dlibpsl=true \
diff --git a/contrib/fedora/rpm/configure-for-system.sh b/contrib/fedora/rpm/configure-for-system.sh
index e52e372bca..62999b11b5 100755
--- a/contrib/fedora/rpm/configure-for-system.sh
+++ b/contrib/fedora/rpm/configure-for-system.sh
@@ -401,7 +401,6 @@ meson setup\
     -Dselinux=true \
     -Dpolkit=true  \
     -Dconfig_auth_polkit_default=true \
-    -Dmodify_system=true \
     -Dconcheck=true \
     -Dlibpsl="$(bool_true "$P_FEDORA")" \
     -Dsession_tracking=systemd \
diff --git a/data/meson.build b/data/meson.build
index b77bf4340c..afe1800b56 100644
--- a/data/meson.build
+++ b/data/meson.build
@@ -55,16 +55,8 @@ if install_udevdir
 endif
 
 if enable_polkit
-  policy = 'org.freedesktop.NetworkManager.policy'
-
-  policy_in = configure_file(
-    input: policy + '.in.in',
-    output: '@BASENAME@',
-    configuration: data_conf,
-  )
-
   i18n.merge_file(
-    input: policy_in,
+    input: 'org.freedesktop.NetworkManager.policy.in',
     output: '@BASENAME@',
     po_dir: po_dir,
     install: true,
diff --git a/data/org.freedesktop.NetworkManager.policy.in.in b/data/org.freedesktop.NetworkManager.policy.in
similarity index 98%
rename from data/org.freedesktop.NetworkManager.policy.in.in
rename to data/org.freedesktop.NetworkManager.policy.in
index 13a0a5b504..cb143a2dd2 100644
--- a/data/org.freedesktop.NetworkManager.policy.in.in
+++ b/data/org.freedesktop.NetworkManager.policy.in
@@ -117,8 +117,8 @@
     <message>System policy prevents modification of network settings for all users</message>
     <defaults>
       <allow_any>auth_admin_keep</allow_any>
-      <allow_inactive>@NM_MODIFY_SYSTEM_POLICY@</allow_inactive>
-      <allow_active>@NM_MODIFY_SYSTEM_POLICY@</allow_active>
+      <allow_inactive>auth_admin_keep</allow_inactive>
+      <allow_active>auth_admin_keep</allow_active>
     </defaults>
   </action>
 
diff --git a/meson.build b/meson.build
index 56bbe28163..49f5b4214a 100644
--- a/meson.build
+++ b/meson.build
@@ -519,6 +519,10 @@ endif
 config_h.set_quoted('NM_CONFIG_DEFAULT_MAIN_AUTH_POLKIT', config_auth_polkit_default)
 
 enable_modify_system = get_option('modify_system')
+if enable_modify_system
+  # FIXME: remove this after everyone has stopped using modify_system
+  error('modify_system=true is no longer allowed due to security reasons')
+endif
 
 polkit_agent_helper_1_path = get_option('polkit_agent_helper_1')
 foreach p : [ '/usr/libexec/polkit-agent-helper-1',
@@ -951,7 +955,6 @@ data_conf.set('NM_DHCP_CLIENTS_ENABLED',                 ', '.join(config_dhcp_c
 data_conf.set('NM_MAJOR_VERSION',                        nm_major_version)
 data_conf.set('NM_MICRO_VERSION',                        nm_micro_version)
 data_conf.set('NM_MINOR_VERSION',                        nm_minor_version)
-data_conf.set('NM_MODIFY_SYSTEM_POLICY',                 (enable_modify_system ? 'yes' : 'auth_admin_keep'))
 data_conf.set('NM_VERSION',                              nm_version)
 data_conf.set('VERSION',                                 nm_version)
 data_conf.set('bindir',                                  nm_bindir)
@@ -1082,17 +1085,7 @@ output += '  dbus_conf_dir: ' + dbus_conf_dir + '\n'
 output += '\nPlatform:\n'
 output += '  session tracking: ' + ','.join(session_trackers) + '\n'
 output += '  suspend/resume: ' + suspend_resume + '\n'
-output += '  policykit: ' + enable_polkit.to_string() + ' (default: ' + config_auth_polkit_default + ')'
-if enable_polkit
-  output += ' ('
-  if enable_modify_system
-    output += 'permissive'
-  else
-    output += 'restrictive'
-  endif
-  output += ' modify.system)'
-endif
-output += '\n'
+output += '  policykit: ' + enable_polkit.to_string() + ' (default: ' + config_auth_polkit_default + ')\n'
 output += '  polkit-agent-helper-1: ' + polkit_agent_helper_1_path + '\n'
 output += '  selinux: ' + enable_selinux.to_string() + '\n'
 output += '  systemd-journald: ' + enable_systemd_journal.to_string() + ' (default: logging.backend=' + config_logging_backend_default + ')\n'
diff --git a/meson_options.txt b/meson_options.txt
index 8ec68a46bd..44d50c6a7a 100644
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -19,7 +19,7 @@ option('session_tracking', type: 'combo', choices: ['systemd', 'elogind', 'no'],
 option('suspend_resume', type: 'combo', choices: ['systemd', 'elogind', 'consolekit', 'auto'], value: 'auto', description: 'Build NetworkManager with specific suspend/resume support')
 option('polkit', type: 'boolean', value: true, description: 'User auth-polkit configuration option.')
 option('config_auth_polkit_default', type: 'combo', choices: ['default', 'true', 'false', 'root-only'], value: 'default', description: 'Default value for configuration main.auth-polkit.')
-option('modify_system', type: 'boolean', value: false, description: 'Allow users to modify system connections')
+option('modify_system', type: 'boolean', value: false, description: 'Allow users to modify system connections (option no longer supported, don\'t use)')
 option('polkit_agent_helper_1', type: 'string', value: '', description: 'Path name to the polkit-agent-helper-1 binary from polkit')
 option('selinux', type: 'boolean', value: true, description: 'Build with SELinux')
 option('systemd_journal', type: 'boolean', value: true, description: 'Use systemd journal for logging')
diff --git a/po/POTFILES.in b/po/POTFILES.in
index feeaf9ebbe..20bd8f253a 100644
--- a/po/POTFILES.in
+++ b/po/POTFILES.in
@@ -1,6 +1,6 @@
 # List of source files containing translatable strings.
 # Please keep this file sorted alphabetically.
-data/org.freedesktop.NetworkManager.policy.in.in
+data/org.freedesktop.NetworkManager.policy.in
 src/core/NetworkManagerUtils.c
 src/core/devices/adsl/nm-device-adsl.c
 src/core/devices/bluetooth/nm-bluez-manager.c