Skip to content

Dashboard Guide

The ScreenStop Dashboard is the central management console for all protected workstations. From here, IT administrators can monitor events, push configuration changes, and control detection behavior across the fleet.

Dashboard Overview


Accessing the Dashboard

The dashboard is a web application hosted on your organization's server.

Default credentials are set by your IT administrator at deployment time.

Password requirements

Passwords must be at least 12 characters and include uppercase, lowercase, a number, and a special character. The default admin/admin is not accepted for normal login — it works only as a temporary dev-mode bootstrap to create the first admin (see Docker Deployment — Bootstrap Admin Account), then is disabled.

Docker deployment

For containerised enterprise deployments, see Docker Deployment.


Station List

The main view shows all registered stations:

Station List

  • Status indicator — green when online, grey when last seen >5 min ago
  • Last seen timestamp
  • Device ID — unique identifier per machine
  • Detection events count

Stations register automatically the first time ScreenStop runs and contacts the dashboard.


Event Feed

Each station reports events in real time:

Events Explorer

Event Type Trigger
phone Phone pointed at screen
unauthorized_face Unrecognized person detected
shoulder_surfing Multiple faces detected
unattended No face detected for configured duration
camera_covered Camera lens blocked
usb_blocked USB drive ejected (USB Protection active)
usb_detected USB drive detected (Audit Mode — no eject)
print_blocked Print job cancelled (Print Protection active)
print_detected Print job detected (Audit Mode — no cancel)
camera_error Camera disconnected or read failure — station retries for 30s, then marks itself offline

Events include a timestamp, device ID, confidence score, and detection details. Events with Debug Mode active include a camera frame — click the camera icon in the event row to view the snapshot.

The Mode column flags events captured while the station's department was in silent mode (Audit Mode — detected and logged, no enforcement). This makes it easy to see, at a glance, which detections were monitored vs. enforced — useful while baselining before you go live.


Departments

Departments group stations and push a shared policy to all stations in the group.

Departments List Policy changes apply to all stations in the department within ~5 seconds.

To create a department:

  1. Go to Departments > New Department
  2. Name it (e.g. "Finance", "HR", "R&D")
  3. Assign stations to the department

New Department


Department Policy (v2.0)

Each department has an Endpoint DLP policy card and an Audit & Capture Policy card. These settings are pushed to all stations in the department automatically.

Department Configuration

Audit Mode (silent monitoring)

Detections fire and events are logged, but no action is taken (no lock, no blur, no USB eject, no print cancel).

On by default for new installs

The out-of-box General department starts with Audit Mode on, so stations begin in silent mode the moment they connect — events flow with no user disruption. You turn enforcement on yourself, per department, once you've verified everything works. See Rollout / Going Live.

To turn enforcement on (or back to silent) for a department:

  1. Go to Departments > select a department
  2. Open the Audit & Capture Policy card
  3. Toggle Audit Mode off (to enforce) or on (to stay silent)
  4. Click Save — all stations in the department switch within ~5 seconds

Tip

Run silent for 1–2 weeks before enforcing. Review the event feed to baseline normal behaviour and tune sensitivity per threat. Then disable Audit Mode to go live.


Capture Mode (Department Policy)

Saves a camera snapshot to local disk on the station for every detection event.

To enable Capture Mode:

  1. Go to Departments > select a department
  2. Open the Audit & Capture Policy card
  3. Toggle Show Detection Images in Events on
  4. Click Save

Snapshots are saved locally on the station in the detections/ folder. The daemon keeps the last 100 images (auto-cleanup).

Add Screen Capture to Detection Images

When enabled, a screenshot of the screen content is captured before the blur overlay fires and combined with the camera frame. The combined image shows both who was detected and what data was visible at the moment of the incident.

To enable:

  1. Go to Departments > select a department
  2. Open the Audit & Capture Policy card
  3. Toggle Add Screen Capture to Detection Images on
  4. Click Save

Privacy

This captures whatever is on the screen. Enable only where your data retention policy permits it and employees have been informed.

This is different from per-station Debug Mode

Department Capture Mode saves frames to the station's local disk for compliance retention. Per-station Debug Mode (toggle on the station page) streams frames live to the dashboard for active investigation.


USB Protection

Automatically ejects USB storage drives unless an authorized person is at the workstation.

To enable USB Protection:

  1. Go to Departments > select a department
  2. Open the Endpoint DLP card
  3. Toggle USB Protection on
  4. Click Save

Tip

Enable Audit Mode first to see usb_detected events in the feed before switching to enforcement (usb_blocked).


Cancels print jobs unless an authorized person is at the workstation.

To enable Print Protection:

  1. Go to Departments > select a department
  2. Open the Endpoint DLP card
  3. Toggle Print Protection on
  4. Click Save

Per-Station Settings

Individual station settings are configured from the station detail page.

Station Detail

To configure a station:

  1. Go to Stations > click a station
  2. Adjust settings in the configuration panel
  3. Click Save — changes sync within ~5 seconds

Note

No restart is required. The daemon reads updated config on its next detection cycle.


Debug Mode (Per-Station)

Debug Mode enables live log streaming and sends camera frames to the dashboard with each detection event.

Station Capture Logs

To enable Debug Mode:

  1. Go to Stations > select a station
  2. Toggle Capture on (top of station page)
  3. Open the Capture Logs tab to see live output

Use LOG_LEVEL = DEBUG for verbose output. Turn Debug Mode off when done.

Warning

Debug Mode stores camera frames on the dashboard server. Only enable it when actively investigating an incident.


Alerts & Notifications

Email alerts and SIEM forwarding are configured in Admin → Notifications.

Email Alerts

  1. Go to Admin → Notifications → Email (SMTP)
  2. Enter your SMTP server details and recipient addresses
  3. Click Save & Test to verify the connection
  4. Set thresholds in the Thresholds tab — alerts fire when a detection type exceeds the configured daily count

Alerts are de-duplicated: one email per event type per station per day.

SIEM / CEF Syslog

  1. Go to Admin → Notifications → SIEM
  2. Enter your SIEM host, port, and protocol (UDP or TCP)
  3. Enable and save — events are forwarded in CEF format immediately

Compatible with Splunk, QRadar, ArcSight, and any CEF-capable SIEM.

Alert Thresholds

Go to Admin → Notifications → Thresholds to set per-station and global daily thresholds per event type. Set to 0 to disable a threshold entirely.


AI Threat Analysis

The AI Analysis page automatically summarizes threat activity across all stations for a selected time period, highlights anomalies, and recommends actions.

AI Threat Analysis

Select a time range (Last Hour, Last 24h, Last 7 Days, Last 30 Days) and click Run Analysis. The Ask a Question tab lets you query the event data in natural language.


Admin Panel

The Admin Panel is accessible to admin-role users only. It provides system-level management tools.

Users

Create and manage dashboard user accounts and assign roles.

Admin Users

Roles:

Role Capabilities
Admin Full access — user management, system settings, all configuration
User Read-only monitoring — view stations, events, departments; no configuration changes

To create a user:

  1. Go to Admin → Users → Create User
  2. Enter username and password (min 12 chars, uppercase, lowercase, number, special character)
  3. Assign role: Admin or User

To reset a password:

  1. Go to Admin → Users
  2. Click the user → Reset Password
  3. Enter a new password meeting complexity requirements

Security notes: - Passwords are stored as bcrypt hashes (cost factor 12) — never in plaintext - Sessions expire on browser close (no persistent tokens) - Brute-force protection: login attempts are rate-limited at the reverse proxy (nginx) to 5/minute per IP, returning HTTP 429 on excess. For defense-in-depth, also use network-level controls (firewall, VPN) to restrict dashboard access to trusted networks.

Maintenance

The Maintenance tab shows server disk usage and lets you manage stored data.

Server Disk

A usage bar shows how much of the server's disk is occupied. The bar turns yellow at 80% and red at 95%. The two main consumers are detection frames and the events database.

Events

Field Description
Total events Number of detection events in the database
Database size Size of the SQLite database file on disk
Oldest / Newest Date range of stored events

To delete old events:

  1. Enter the number of days in the Older than (days) field
  2. Click Delete — events older than that threshold are permanently removed
  3. Set to 0 to delete all events

Events are lightweight records (timestamp, type, confidence score). Deleting old events does not affect detection frames.

Detection Frames

Camera snapshots saved when Debug Mode or Capture Mode is active. These are the largest disk consumers.

Field Description
Total frames Number of .jpg files stored on the server
Storage used Total disk space occupied by frames
Oldest / Newest Date range of stored frames

To back up frames:

  1. Enter the age threshold in Older than (days)
  2. Click Backup — a ZIP file is generated and downloaded to your browser

To delete frames:

  1. Enter the age threshold in Older than (days)
  2. Click Delete — frames older than that threshold are permanently removed from the server
  3. Set to 0 to delete all frames

Tip

Run Backup before Delete if you need to retain frames for compliance or forensic purposes.

Warning

Deletion is permanent and cannot be undone. Ensure your data retention policy permits deletion before proceeding.

System

View server platform details and restart the server if needed.

Admin System

Server Logs

Fetch live server-side logs for troubleshooting.

Admin Server Logs

About

View the installed version, license type, and license terms.

Admin About

Notifications

Configure email alerts (SMTP) and SIEM/CEF syslog forwarding. Set per-event-type thresholds for per-station and global alerts. See Alerts & Notifications above for full details.

AI Settings

Configure the LLM provider (Anthropic, OpenAI, or Ollama/Azure) used by the AI Analysis feature.

Admin AI Settings