Skip to content

Install on macOS

Requirements

  • macOS 11.0 (Big Sur) or later
  • Intel or Apple Silicon
  • ~500 MB available disk space
  • Built-in or external webcam

Download

Download the latest installer from screenstop.co/downloads.

File: ScreenStop-Installer-v1.0.2.pkg


Interactive Installation

  1. Double-click ScreenStop-Installer-v1.0.2.pkg
  2. Follow the installer wizard (requires admin password)
  3. After installation, the menu bar app launches automatically
  4. Look for the camera icon in the menu bar

Silent / Command-Line Installation

sudo installer -pkg ScreenStop-Installer-v1.0.2.pkg -target /

The postinstall script automatically:

  • Sets permissions on /Applications/ScreenStop/
  • Creates a LaunchAgent (com.screenstop.menu.plist) for auto-start on login
  • Launches the menu bar app immediately

Enterprise Deployment (MDM)

Jamf Pro

  1. Go to Jamf Pro > Computers > Policies > New Policy
  2. Under Packages, upload ScreenStop-Installer-v1.0.2.pkg
  3. Set trigger: Enrollment Complete and/or Recurring Check-in
  4. Scope to target computer groups

Other MDM (Intune, Mosyle, Kandji)

Upload the .pkg as a macOS LOB/custom app in your MDM console.

Script-based deployment (ARD, Ansible)

#!/bin/bash
PKG_PATH="/path/to/ScreenStop-Installer-v1.0.2.pkg"

if [ -d "/Applications/ScreenStop/ScreenStopMenu.app" ]; then
    echo "Already installed, skipping."
    exit 0
fi

sudo installer -pkg "$PKG_PATH" -target /

Camera Permission

On first launch, macOS will prompt for camera access. The user must click Allow.

Without camera permission, ScreenStop cannot function.

Tip

If the prompt doesn't appear, go to System Settings > Privacy & Security > Camera and enable ScreenStopMain manually.


Headless Deployment (No Control Center)

By default, ScreenStop installs the Control Center (ScreenStopGUI.app) — a local settings panel visible to the end user.

For most enterprise deployments, IT should remove the Control Center after installation. This is the recommended approach for managed workstations because:

  • Prevents tampering — users cannot disable detection, change sensitivity, or pause protection
  • Enforces policy — all configuration is pushed centrally from the dashboard; local overrides are not possible
  • Reduces attack surface — no UI means no way for a user to interact with the agent

Privileged users (executives, IT staff) who need local control can keep the Control Center installed by omitting this step for their machines.

MDM Post-Install Script (Jamf / Intune / Kandji)

Add this as a post-install script in your MDM policy, scoped to all machines except privileged groups:

#!/bin/bash
# Remove ScreenStop Control Center — enforce headless/managed mode
rm -rf /Applications/ScreenStop/ScreenStopGUI.app

The daemon and menu bar app continue running normally. Only the local settings panel is removed.

Privileged users

Scope this script to exclude privileged user groups in your MDM. Those machines will retain the Control Center for local management.


Uninstallation

Via script:

sudo /Applications/ScreenStop/uninstall.sh

Manual:

killall ScreenStopMain ScreenStopMenu ScreenStopGUI 2>/dev/null
sudo rm -rf /Applications/ScreenStop
rm ~/Library/LaunchAgents/com.screenstop.menu.plist
launchctl remove com.screenstop.menu 2>/dev/null

User data at ~/Library/Application Support/ScreenStop/ is preserved.


Dashboard Configuration

Before deploying to stations, create a setup_parameters.json file and place it in the installer package. The postinstall script copies it to:

/Applications/ScreenStop/setup_parameters.json

Minimum configuration:

{
  "dashboard_url": {
    "value": "https://your-dashboard.example.com",
    "override": true
  },
  "dashboard_api_token": {
    "value": "your-token-here",
    "override": true
  },
  "capture_mode": {
    "value": true,
    "override": false
  }
}

Enable capture_mode for the dashboard Capture Logs tab

By default capture_mode is disabled, which means detection events arrive on the dashboard with no camera snapshots attached — the Capture Logs tab stays empty even though events flow normally. Set capture_mode: true in setup_parameters.json on first install (as shown above) to enable snapshot delivery out-of-the-box. Using "override": false means existing stations that have already been configured will not be touched on reinstall.

Full reference — all supported keys:

Key Description Example value
dashboard_url Dashboard server URL (no trailing slash) "https://10.0.20.5"
dashboard_port Dashboard port (omit if 443) 8080
dashboard_api_token Bearer token matching STATION_API_TOKEN on the server "abc123"
phone_detection Enable phone detection true
shoulder_surfing Enable shoulder surfing detection true
camera_covered Enable camera-covered detection true
stranger_face Enable unauthorized person detection true
unattended_screen Enable unattended screen detection true
audit_mode Log detections without enforcing locks/eject/cancel false
capture_mode Send camera snapshots with detection events (required for the dashboard Capture Logs tab) true
usb_protection Eject USB drives when unauthorized person present false
print_protection Cancel print jobs when unauthorized person present false

First install vs. reinstall behaviour:

  • First install (no previous setup_parameters_*.json archives found) — all keys are applied unconditionally.
  • Reinstall / upgrade — only keys with "override": true are applied. Keys with "override": false are skipped to preserve settings the user may have changed locally.

After processing, the file is renamed to setup_parameters_<timestamp>.json as a permanent audit record.

Note

Stations without setup_parameters.json will run in standalone mode — detection works but no dashboard sync.


Next Step

After installation, complete face enrollment so ScreenStop can recognize the authorized user.