Install on macOS
Requirements
- macOS 11.0 (Big Sur) or later
- Intel or Apple Silicon
- ~500 MB available disk space
- Built-in or external webcam
Download
Download the latest installer from screenstop.co/downloads.
File: ScreenStop-Installer-v1.0.2.pkg
Interactive Installation
- Double-click
ScreenStop-Installer-v1.0.2.pkg - Follow the installer wizard (requires admin password)
- After installation, the menu bar app launches automatically
- Look for the camera icon in the menu bar
Silent / Command-Line Installation
The postinstall script automatically:
- Sets permissions on
/Applications/ScreenStop/ - Creates a LaunchAgent (
com.screenstop.menu.plist) for auto-start on login - Launches the menu bar app immediately
Enterprise Deployment (MDM)
Jamf Pro
- Go to Jamf Pro > Computers > Policies > New Policy
- Under Packages, upload
ScreenStop-Installer-v1.0.2.pkg - Set trigger: Enrollment Complete and/or Recurring Check-in
- Scope to target computer groups
Other MDM (Intune, Mosyle, Kandji)
Upload the .pkg as a macOS LOB/custom app in your MDM console.
Script-based deployment (ARD, Ansible)
#!/bin/bash
PKG_PATH="/path/to/ScreenStop-Installer-v1.0.2.pkg"
if [ -d "/Applications/ScreenStop/ScreenStopMenu.app" ]; then
echo "Already installed, skipping."
exit 0
fi
sudo installer -pkg "$PKG_PATH" -target /
Camera Permission
On first launch, macOS will prompt for camera access. The user must click Allow.
Without camera permission, ScreenStop cannot function.
Tip
If the prompt doesn't appear, go to System Settings > Privacy & Security > Camera and enable ScreenStopMain manually.
Headless Deployment (No Control Center)
By default, ScreenStop installs the Control Center (ScreenStopGUI.app) — a local settings panel visible to the end user.
For most enterprise deployments, IT should remove the Control Center after installation. This is the recommended approach for managed workstations because:
- Prevents tampering — users cannot disable detection, change sensitivity, or pause protection
- Enforces policy — all configuration is pushed centrally from the dashboard; local overrides are not possible
- Reduces attack surface — no UI means no way for a user to interact with the agent
Privileged users (executives, IT staff) who need local control can keep the Control Center installed by omitting this step for their machines.
MDM Post-Install Script (Jamf / Intune / Kandji)
Add this as a post-install script in your MDM policy, scoped to all machines except privileged groups:
#!/bin/bash
# Remove ScreenStop Control Center — enforce headless/managed mode
rm -rf /Applications/ScreenStop/ScreenStopGUI.app
The daemon and menu bar app continue running normally. Only the local settings panel is removed.
Privileged users
Scope this script to exclude privileged user groups in your MDM. Those machines will retain the Control Center for local management.
Uninstallation
Via script:
Manual:
killall ScreenStopMain ScreenStopMenu ScreenStopGUI 2>/dev/null
sudo rm -rf /Applications/ScreenStop
rm ~/Library/LaunchAgents/com.screenstop.menu.plist
launchctl remove com.screenstop.menu 2>/dev/null
User data at ~/Library/Application Support/ScreenStop/ is preserved.
Dashboard Configuration
Before deploying to stations, create a setup_parameters.json file and place it in the installer package. The postinstall script copies it to:
/Applications/ScreenStop/setup_parameters.json
Minimum configuration:
{
"dashboard_url": {
"value": "https://your-dashboard.example.com",
"override": true
},
"dashboard_api_token": {
"value": "your-token-here",
"override": true
},
"capture_mode": {
"value": true,
"override": false
}
}
Enable capture_mode for the dashboard Capture Logs tab
By default capture_mode is disabled, which means detection events arrive on the dashboard with no camera snapshots attached — the Capture Logs tab stays empty even though events flow normally. Set capture_mode: true in setup_parameters.json on first install (as shown above) to enable snapshot delivery out-of-the-box. Using "override": false means existing stations that have already been configured will not be touched on reinstall.
Full reference — all supported keys:
| Key | Description | Example value |
|---|---|---|
dashboard_url |
Dashboard server URL (no trailing slash) | "https://10.0.20.5" |
dashboard_port |
Dashboard port (omit if 443) | 8080 |
dashboard_api_token |
Bearer token matching STATION_API_TOKEN on the server |
"abc123" |
phone_detection |
Enable phone detection | true |
shoulder_surfing |
Enable shoulder surfing detection | true |
camera_covered |
Enable camera-covered detection | true |
stranger_face |
Enable unauthorized person detection | true |
unattended_screen |
Enable unattended screen detection | true |
audit_mode |
Log detections without enforcing locks/eject/cancel | false |
capture_mode |
Send camera snapshots with detection events (required for the dashboard Capture Logs tab) | true |
usb_protection |
Eject USB drives when unauthorized person present | false |
print_protection |
Cancel print jobs when unauthorized person present | false |
First install vs. reinstall behaviour:
- First install (no previous
setup_parameters_*.jsonarchives found) — all keys are applied unconditionally. - Reinstall / upgrade — only keys with
"override": trueare applied. Keys with"override": falseare skipped to preserve settings the user may have changed locally.
After processing, the file is renamed to setup_parameters_<timestamp>.json as a permanent audit record.
Note
Stations without setup_parameters.json will run in standalone mode — detection works but no dashboard sync.
Next Step
After installation, complete face enrollment so ScreenStop can recognize the authorized user.