diff --git a/pkg/dev/dev.go b/pkg/dev/dev.go
index a4d58a9bd..45d947586 100644
--- a/pkg/dev/dev.go
+++ b/pkg/dev/dev.go
@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"io"
 	"os"
+	"strings"
 	"sync"
 	"sync/atomic"
 	"time"
@@ -19,6 +20,7 @@ import (
 	"github.com/acorn-io/runtime/pkg/labels"
 	"github.com/acorn-io/runtime/pkg/log"
 	"github.com/acorn-io/runtime/pkg/rulerequest"
+	"github.com/acorn-io/runtime/pkg/server/registry/apigroups/acorn/devsessions"
 	"github.com/acorn-io/z"
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/pflag"
@@ -277,6 +279,8 @@ func buildLoop(ctx context.Context, c client.Client, hash clientHash, opts *Opti
 				case <-time.After(time.Second):
 					continue
 				}
+			} else if apierror.IsForbidden(err) && strings.Contains(err.Error(), devsessions.ErrMsgDevSessionBlockedByIAR) {
+				return fmt.Errorf(devsessions.ErrMsgDevSessionBlockedByIAR)
 			} else if err != nil {
 				logger.Errorf("Failed to run/update app: %v", err)
 				failed.Store(true)
diff --git a/pkg/server/registry/apigroups/acorn/devsessions/strategy.go b/pkg/server/registry/apigroups/acorn/devsessions/strategy.go
index 46ef59b25..f8ffccd30 100644
--- a/pkg/server/registry/apigroups/acorn/devsessions/strategy.go
+++ b/pkg/server/registry/apigroups/acorn/devsessions/strategy.go
@@ -6,12 +6,16 @@ import (
 
 	"github.com/acorn-io/baaah/pkg/router"
 	apiv1 "github.com/acorn-io/runtime/pkg/apis/api.acorn.io/v1"
+	"github.com/acorn-io/runtime/pkg/config"
+	"github.com/acorn-io/runtime/pkg/profiles"
 	"github.com/acorn-io/runtime/pkg/server/registry/apigroups/acorn/apps"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	kclient "sigs.k8s.io/controller-runtime/pkg/client"
 )
 
+const ErrMsgDevSessionBlockedByIAR = "ImageAllowRules active - DevSessions are being blocked"
+
 type Validator struct {
 	client       kclient.Client
 	appValidator *apps.Validator
@@ -32,6 +36,17 @@ func (v *Validator) Validate(ctx context.Context, obj runtime.Object) (result fi
 		return
 	}
 
+	iarEnabled, err := config.GetFeature(ctx, v.client, profiles.FeatureImageAllowRules)
+	if err != nil {
+		result = append(result, field.Invalid(field.NewPath("metadata", "name"), devSession.Name, err.Error()))
+		return
+	}
+
+	if iarEnabled {
+		result = append(result, field.Forbidden(field.NewPath("metadata", "name"), ErrMsgDevSessionBlockedByIAR))
+		return
+	}
+
 	if devSession.Spec.Region != app.GetRegion() {
 		if devSession.Spec.Region != "" {
 			result = append(result, field.Invalid(field.NewPath("spec", "region"), devSession.Spec.Region,