Index: share/bootloaders/grub-efi/grub.cfg
===================================================================
--- share/bootloaders/grub-efi/grub.cfg
+++ share/bootloaders/grub-efi/grub.cfg
@@ -38,16 +38,23 @@
 set menu_color_normal=white/black
 set menu_color_highlight=black/light-gray
 
+# NB: apparmor is disabled because it would deny everything. The actual paths in
+#   the live system are not the paths used in the configs. This is because of
+#   how the squashfs is mounted and then overlayed. So the final paths seen by
+#   apparmor will be /cow/foo/whatevs/... instead of /... this blocks a lot of
+#   parts of the ISO from working properly (e.g. snapd or kmail; latter only
+#   if the user opts to install it of course).
+
 menuentry "Start KDE neon" {
 	load_video
 	set gfxpayload=keep
-	linux	/casper/vmlinuz  boot=casper quiet splash ---
+	linux	/casper/vmlinuz  boot=casper apparmor=0 quiet splash ---
 	initrd	/casper/initrd.lz
 }
 
 menuentry "Start KDE neon (OEM mode)" {
 	load_video
 	set gfxpayload=keep
-	linux	/casper/vmlinuz  boot=casper quiet splash --- oem-config/enable=true
+	linux	/casper/vmlinuz  boot=casper apparmor=0 quiet splash --- oem-config/enable=true
 	initrd	/casper/initrd.lz
 }