diff --git a/components/engine/integration-cli/daemon_swarm.go b/components/engine/integration-cli/daemon_swarm.go
index 526ac21e27..ac54cbfb86 100644
--- a/components/engine/integration-cli/daemon_swarm.go
+++ b/components/engine/integration-cli/daemon_swarm.go
@@ -114,6 +114,7 @@ func (d *SwarmDaemon) info() (swarm.Info, error) {
 
 type serviceConstructor func(*swarm.Service)
 type nodeConstructor func(*swarm.Node)
+type specConstructor func(*swarm.Spec)
 
 func (d *SwarmDaemon) createService(c *check.C, f ...serviceConstructor) string {
 	var service swarm.Service
@@ -185,3 +186,19 @@ func (d *SwarmDaemon) listNodes(c *check.C) []swarm.Node {
 	c.Assert(json.Unmarshal(out, &nodes), checker.IsNil)
 	return nodes
 }
+
+func (d *SwarmDaemon) updateSwarm(c *check.C, f ...specConstructor) {
+	var sw swarm.Swarm
+	status, out, err := d.SockRequest("GET", "/swarm", nil)
+	c.Assert(err, checker.IsNil)
+	c.Assert(status, checker.Equals, http.StatusOK, check.Commentf("output: %q", string(out)))
+	c.Assert(json.Unmarshal(out, &sw), checker.IsNil)
+
+	for _, fn := range f {
+		fn(&sw.Spec)
+	}
+	url := fmt.Sprintf("/swarm/update?version=%d", sw.Version.Index)
+	status, out, err = d.SockRequest("POST", url, sw.Spec)
+	c.Assert(err, checker.IsNil)
+	c.Assert(status, checker.Equals, http.StatusOK, check.Commentf("output: %q", string(out)))
+}
diff --git a/components/engine/integration-cli/docker_api_swarm_test.go b/components/engine/integration-cli/docker_api_swarm_test.go
index 9b6ba6c685..d76c6ac0e4 100644
--- a/components/engine/integration-cli/docker_api_swarm_test.go
+++ b/components/engine/integration-cli/docker_api_swarm_test.go
@@ -145,6 +145,74 @@ func (s *DockerSwarmSuite) TestApiSwarmSecretAcceptance(c *check.C) {
 	info, err = d2.info()
 	c.Assert(err, checker.IsNil)
 	c.Assert(info.LocalNodeState, checker.Equals, swarm.LocalNodeStateInactive)
+
+	// change secret
+	d1.updateSwarm(c, func(s *swarm.Spec) {
+		for i := range s.AcceptancePolicy.Policies {
+			p := "foobaz"
+			s.AcceptancePolicy.Policies[i].Secret = &p
+		}
+	})
+
+	err = d2.Join(d1.listenAddr, "foobar", "", false)
+	c.Assert(err, checker.NotNil)
+	c.Assert(err.Error(), checker.Contains, "secret token is necessary")
+	info, err = d2.info()
+	c.Assert(err, checker.IsNil)
+	c.Assert(info.LocalNodeState, checker.Equals, swarm.LocalNodeStateInactive)
+
+	c.Assert(d2.Join(d1.listenAddr, "foobaz", "", false), checker.IsNil)
+	info, err = d2.info()
+	c.Assert(err, checker.IsNil)
+	c.Assert(info.LocalNodeState, checker.Equals, swarm.LocalNodeStateActive)
+	c.Assert(d2.Leave(false), checker.IsNil)
+	info, err = d2.info()
+	c.Assert(err, checker.IsNil)
+	c.Assert(info.LocalNodeState, checker.Equals, swarm.LocalNodeStateInactive)
+
+	// change policy, don't change secret
+	d1.updateSwarm(c, func(s *swarm.Spec) {
+		for i, p := range s.AcceptancePolicy.Policies {
+			if p.Role == swarm.NodeRoleManager {
+				s.AcceptancePolicy.Policies[i].Autoaccept = false
+			}
+			s.AcceptancePolicy.Policies[i].Secret = nil
+		}
+	})
+
+	err = d2.Join(d1.listenAddr, "", "", false)
+	c.Assert(err, checker.NotNil)
+	c.Assert(err.Error(), checker.Contains, "secret token is necessary")
+	info, err = d2.info()
+	c.Assert(err, checker.IsNil)
+	c.Assert(info.LocalNodeState, checker.Equals, swarm.LocalNodeStateInactive)
+
+	c.Assert(d2.Join(d1.listenAddr, "foobaz", "", false), checker.IsNil)
+	info, err = d2.info()
+	c.Assert(err, checker.IsNil)
+	c.Assert(info.LocalNodeState, checker.Equals, swarm.LocalNodeStateActive)
+	c.Assert(d2.Leave(false), checker.IsNil)
+	info, err = d2.info()
+	c.Assert(err, checker.IsNil)
+	c.Assert(info.LocalNodeState, checker.Equals, swarm.LocalNodeStateInactive)
+
+	// clear secret
+	d1.updateSwarm(c, func(s *swarm.Spec) {
+		for i := range s.AcceptancePolicy.Policies {
+			p := ""
+			s.AcceptancePolicy.Policies[i].Secret = &p
+		}
+	})
+
+	c.Assert(d2.Join(d1.listenAddr, "", "", false), checker.IsNil)
+	info, err = d2.info()
+	c.Assert(err, checker.IsNil)
+	c.Assert(info.LocalNodeState, checker.Equals, swarm.LocalNodeStateActive)
+	c.Assert(d2.Leave(false), checker.IsNil)
+	info, err = d2.info()
+	c.Assert(err, checker.IsNil)
+	c.Assert(info.LocalNodeState, checker.Equals, swarm.LocalNodeStateInactive)
+
 }
 
 func (s *DockerSwarmSuite) TestApiSwarmCAHash(c *check.C) {