diff --git a/awx/main/isolated/isolated_manager.py b/awx/main/isolated/isolated_manager.py
index 73d8e2c970..7cfb7275d3 100644
--- a/awx/main/isolated/isolated_manager.py
+++ b/awx/main/isolated/isolated_manager.py
@@ -154,7 +154,7 @@ class IsolatedManager(object):
 
         extra_vars = {
             'src': self.private_data_dir,
-            'dest': os.path.split(self.private_data_dir)[0],
+            'dest': settings.AWX_PROOT_BASE_PATH,
         }
         if self.proot_temp_dir:
             extra_vars['proot_temp_dir'] = self.proot_temp_dir
@@ -190,7 +190,7 @@ class IsolatedManager(object):
         isolated_ssh_path = None
         try:
             if getattr(settings, 'AWX_ISOLATED_PRIVATE_KEY', None):
-                isolated_ssh_path = tempfile.mkdtemp(prefix='ansible_tower_isolated')
+                isolated_ssh_path = tempfile.mkdtemp(prefix='ansible_tower_isolated', dir=settings.AWX_PROOT_BASE_PATH)
                 os.chmod(isolated_ssh_path, stat.S_IRUSR | stat.S_IWUSR | stat.S_IXUSR)
                 isolated_key = os.path.join(isolated_ssh_path, '.isolated')
                 ssh_sock = os.path.join(isolated_ssh_path, '.isolated_ssh_auth.sock')
diff --git a/awx/main/tasks.py b/awx/main/tasks.py
index 5ccdf589d9..eae1235974 100644
--- a/awx/main/tasks.py
+++ b/awx/main/tasks.py
@@ -444,7 +444,7 @@ class BaseTask(Task):
         '''
         Create a temporary directory for job-related files.
         '''
-        path = tempfile.mkdtemp(prefix='ansible_tower_%s_' % instance.pk)
+        path = tempfile.mkdtemp(prefix='ansible_tower_%s_' % instance.pk, dir=settings.AWX_PROOT_BASE_PATH)
         os.chmod(path, stat.S_IRUSR | stat.S_IWUSR | stat.S_IXUSR)
         return path
 
@@ -481,7 +481,7 @@ class BaseTask(Task):
                 # For credentials used with ssh-add, write to a named pipe which
                 # will be read then closed, instead of leaving the SSH key on disk.
                 if credential.kind in ('ssh', 'scm') and not ssh_too_old:
-                    path = os.path.join(kwargs.get('private_data_dir', tempfile.gettempdir()), name)
+                    path = os.path.join(kwargs['private_data_dir'], name)
                     run.open_fifo_write(path, data)
                     private_data_files['credentials']['ssh'] = path
                 # Ansible network modules do not yet support ssh-agent.
@@ -682,6 +682,9 @@ class BaseTask(Task):
                     instance = self.update_model(pk)
                     status = instance.status
                     raise RuntimeError('not starting %s task' % instance.status)
+
+            if not os.path.exists(settings.AWX_PROOT_BASE_PATH):
+                raise RuntimeError('AWX_PROOT_BASE_PATH=%s does not exist' % settings.AWX_PROOT_BASE_PATH)
             # Fetch ansible version once here to support version-dependent features.
             kwargs['ansible_version'] = get_ansible_version()
             kwargs['private_data_dir'] = self.build_private_data_dir(instance, **kwargs)
@@ -1195,7 +1198,7 @@ class RunProjectUpdate(BaseTask):
             }
         }
         '''
-        handle, self.revision_path = tempfile.mkstemp()
+        handle, self.revision_path = tempfile.mkstemp(dir=settings.AWX_PROOT_BASE_PATH)
         private_data = {'credentials': {}}
         if project_update.credential:
             credential = project_update.credential
@@ -1815,7 +1818,7 @@ class RunInventoryUpdate(BaseTask):
         elif src == 'scm':
             args.append(inventory_update.get_actual_source_path())
         elif src == 'custom':
-            runpath = tempfile.mkdtemp(prefix='ansible_tower_launch_')
+            runpath = tempfile.mkdtemp(prefix='ansible_tower_launch_', dir=settings.AWX_PROOT_BASE_PATH)
             handle, path = tempfile.mkstemp(dir=runpath)
             f = os.fdopen(handle, 'w')
             if inventory_update.source_script is None:
diff --git a/awx/main/utils/common.py b/awx/main/utils/common.py
index ba9fb73c54..ff8b8699aa 100644
--- a/awx/main/utils/common.py
+++ b/awx/main/utils/common.py
@@ -612,7 +612,7 @@ def build_proot_temp_dir():
 def wrap_args_with_proot(args, cwd, **kwargs):
     '''
     Wrap existing command line with proot to restrict access to:
-     - /tmp (except for own tmp files)
+     - AWX_PROOT_BASE_PATH (generally, /tmp) (except for own /tmp files)
     For non-isolated nodes:
      - /etc/tower (to prevent obtaining db info or secret key)
      - /var/lib/awx (except for current project)
@@ -621,7 +621,7 @@ def wrap_args_with_proot(args, cwd, **kwargs):
     '''
     from django.conf import settings
     new_args = [getattr(settings, 'AWX_PROOT_CMD', 'bwrap'), '--unshare-pid', '--dev-bind', '/', '/']
-    hide_paths = [tempfile.gettempdir()]
+    hide_paths = [settings.AWX_PROOT_BASE_PATH]
     if not kwargs.get('isolated'):
         hide_paths.extend(['/etc/tower', '/var/lib/awx', '/var/log',
                            settings.PROJECTS_ROOT, settings.JOBOUTPUT_ROOT])
diff --git a/awx/playbooks/run_isolated.yml b/awx/playbooks/run_isolated.yml
index 7bec2bf8a2..1dbd1e6561 100644
--- a/awx/playbooks/run_isolated.yml
+++ b/awx/playbooks/run_isolated.yml
@@ -18,7 +18,7 @@
     - name: create a proot/bwrap temp dir (if necessary)
       synchronize:
         src: "{{proot_temp_dir}}"
-        dest: "/tmp"
+        dest: "{{dest}}"
       when: proot_temp_dir is defined
 
     - name: synchronize job environment with isolated host