Configuration Reference
ScreenStop configuration is managed centrally from the Dashboard and pushed to stations automatically. Most settings do not require touching the local workstation.
Dashboard-Managed Settings
These settings are configured in the Dashboard and synced to each station every few seconds.
| Setting | Description | Default |
|---|---|---|
detection_mode |
Active detection modes (see below) | All enabled |
lock_delay_seconds |
Seconds before screen locks after a threat | 0 |
phone_confidence |
YOLO confidence threshold for phone detection | 0.5 |
face_confidence |
InsightFace confidence threshold for face matching | 0.45 |
LOG_LEVEL |
Logging verbosity (DEBUG, INFO, WARNING, ERROR) |
INFO |
debug_mode |
Stream logs and capture frames to dashboard in real time | false |
Detection Modes
| Mode | Description |
|---|---|
| Phone Detection | Locks screen when a phone is pointed at the monitor |
| Unauthorized Person | Locks when an unrecognized face is detected |
| Shoulder Surfing | Locks when more than one face is detected |
| Unattended Screen | Locks when no face is detected for a configured duration |
Modes can be enabled/disabled individually from the Dashboard.
v2.0 — Endpoint DLP Settings
These settings are configured at the Department level in the Dashboard and pushed to all stations in the department.
Audit Mode
| Setting | Description | Default |
|---|---|---|
AUDIT_MODE |
Detect threats and log all events — but never lock, blur, eject, or cancel | false |
When AUDIT_MODE = true:
- All detections fire and are sent to the dashboard as normal
- No screen lock, no blur overlay, no USB eject, no print cancellation
- Use for silent baselining before enforcing policy
Deployment tip
Enable Audit Mode for 1–2 weeks before going live. Review the event feed to identify false positives and tune sensitivity thresholds. Then disable Audit Mode to enforce policy.
Capture Mode (Department Policy)
| Setting | Description | Default |
|---|---|---|
CAPTURE_MODE |
Save a camera snapshot for every detection event | false |
CAPTURE_INCLUDE_SCREEN |
Also capture a screenshot of the screen at the moment of detection | false |
When CAPTURE_MODE = true, every detection event saves a .jpg frame to the station's local disk:
=== "macOS"
~/Library/Application Support/ScreenStop/detections/
=== "Windows"
%LOCALAPPDATA%\ScreenStop\detections\
Department policy wins: If the department sets CAPTURE_MODE = true, all stations in that department capture images regardless of individual station settings. The daemon picks up the change within ~5 seconds via heartbeat.
When CAPTURE_INCLUDE_SCREEN = true, a screenshot of the screen content is captured before the blur overlay fires and combined with the camera frame into a single stacked image. This shows exactly what data was visible at the moment of the incident.
Privacy
CAPTURE_INCLUDE_SCREEN captures whatever is on the screen — including sensitive data. Enable only on workstations where your data retention policy permits it and employees have been informed.
Capture Mode vs. Debug Mode
- Capture Mode (
CAPTURE_MODE) — saves frames to local disk. Controlled by department policy. Used for compliance and evidence retention. - Capture Include Screen (
CAPTURE_INCLUDE_SCREEN) — adds a screen snapshot to the detection image. Controlled by department policy. - Debug Mode (
debug_mode) — streams live frames and logs to the dashboard. Controlled per-station. Used for active incident investigation.
Warning
The daemon keeps the last 100 images (auto-cleanup). Ensure your data retention policy covers these files.
USB Protection
| Setting | Description | Default |
|---|---|---|
USB_PROTECTION |
Eject USB drives unless an authorized person is present | false |
When USB_PROTECTION = true:
- Every detection cycle checks for connected USB storage devices
- If no authorized person is present, all removable USB drives are ejected immediately
- Event logged:
usb_blocked(enforcement) orusb_detected(Audit Mode)
=== "macOS"
Uses diskutil unmount force.
=== "Windows"
Uses IOCTL_STORAGE_EJECT_MEDIA via Windows API.
Print Protection
| Setting | Description | Default |
|---|---|---|
PRINT_PROTECTION |
Cancel print jobs unless an authorized person is present | false |
When PRINT_PROTECTION = true:
- Every detection cycle checks for active print jobs
- If no authorized person is present, all pending print jobs are cancelled
- Event logged:
print_blocked(enforcement) orprint_detected(Audit Mode)
=== "macOS"
Uses CUPS (lpstat -o + cancel).
=== "Windows"
Uses win32print.EnumJobs + JOB_CONTROL_DELETE.
Notifications & Alerting (Server-Side)
Configured in the Dashboard under Admin → Notifications. No station restart required.
Email Alerts (SMTP)
| Setting | Description |
|---|---|
smtp_enabled |
Enable email alerts |
smtp_host |
SMTP server hostname (e.g. smtp.mailgun.org) |
smtp_port |
SMTP port (default: 587) |
smtp_user |
SMTP username |
smtp_password |
SMTP password |
smtp_from |
Sender address |
smtp_to |
Recipient addresses (JSON array, e.g. ["admin@org.com"]) |
Alerts are threshold-based — an email fires when a detection type exceeds a configured count per day. Duplicate alerts for the same event type on the same day are suppressed.
SIEM Integration (CEF Syslog)
| Setting | Description |
|---|---|
siem_enabled |
Enable SIEM forwarding |
siem_host |
SIEM server IP or hostname |
siem_port |
UDP/TCP port (default: 514) |
siem_protocol |
udp or tcp |
Events are forwarded in CEF (Common Event Format) — compatible with Splunk, QRadar, ArcSight, and any CEF-capable SIEM.
CEF format:
CEF:0|ScreenStop|ScreenStop|2.0|<event_type>|<label>|<severity>|src=<device_id> suser=<hostname> cs1=<confidence> cs1Label=Confidence
Severity levels: unauthorized_face = 8, phone = 7, shoulder_surfing = 6, camera_covered = 5.
Alert Thresholds
Set per event type in Admin → Notifications → Thresholds:
| Threshold | Description |
|---|---|
| Per-station threshold | Alert when a single station exceeds N events of this type today |
| Global threshold | Alert when all stations combined exceed N events of this type today |
Set to 0 to disable a threshold.
Unattended Event Filter
| Setting | Description | Default |
|---|---|---|
store_unattended |
Store unattended screen events in the dashboard | false |
Unattended events fire frequently in normal use (any time a user steps away). Disable storage to keep the event feed clean and reduce database growth. Enable only if you want to audit unattended screen exposure specifically.
Security Settings (Server-Side)
Set as environment variables on the dashboard server.
| Variable | Description | Required |
|---|---|---|
DASHBOARD_SECRET_KEY |
Signs admin session cookies. Server refuses to start if unset. | Yes |
STATION_API_TOKEN |
Bearer token all stations must present on sync/event requests. If unset, server runs in open/demo mode. | Recommended |
Configuring STATION_API_TOKEN on stations:
Add to setup_parameters.json on each station:
The station reads this file at startup and includes the token in all dashboard requests.
Face Enrollment
Face enrollment is required for Unauthorized Person and Shoulder Surfing detection.
- Right-click the ScreenStop menu/tray icon
- Select Open Control Center
- Click Train Face
- Follow the on-screen instructions (captures 5–10 photos)
Face data is stored locally — never uploaded to the dashboard.
=== "macOS"
~/Library/Application Support/ScreenStop/owner_encoding.npy
=== "Windows"
%LOCALAPPDATA%\ScreenStop\owner_encoding.npy
Log Files
=== "macOS"
~/Library/Application Support/ScreenStop/screenstop.log
=== "Windows"
%LOCALAPPDATA%\ScreenStop\screenstop.log
Log verbosity is controlled by LOG_LEVEL in the Dashboard and applies without restarting the daemon.
Dashboard URL
Set at install time via setup_parameters.json. Stations connect automatically after installation.