Skip to content

Overview

ScreenStop runs as three components on each protected workstation:

Component Role
ScreenStopMain Background daemon — camera detection, YOLO + InsightFace
ScreenStopMenu Menu bar app — controls daemon, syncs config from dashboard
ScreenStopGUI Control Center — local settings, face enrollment

All three are installed together via the .pkg (macOS) or .exe (Windows) installer.

How it works

  1. ScreenStopMenu launches on login and starts ScreenStopMain
  2. The daemon captures frames from the webcam every ~1.4 seconds
  3. YOLO detects phones and persons; InsightFace identifies faces
  4. On a threat → the event is logged and sent to the dashboard; if the department is enforcing, the screen also locks/blurs
  5. All events are sent to the Dashboard in real time
  6. The Dashboard can push config changes back to stations

Deploys silent-first

New installs start in silent mode (the default General department): detection and events work immediately with no enforcement and no user disruption. You verify everything works, then enable enforcement deliberately. See Rollout / Going Live.

Data Flows

Data Stays on workstation Sent to dashboard Sent elsewhere
Camera frames (normal operation) Never stored Never sent
Camera frames (Capture Mode enabled) ✅ Local disk only
Camera frames (Debug Mode enabled) ✅ Live stream
Detection events (timestamp, type, confidence) ✅ Log file ✅ Dashboard DB ✅ SIEM (if configured)
Face encodings ✅ Local disk only
Station config ✅ AppData ✅ Synced from dashboard
Admin actions (login, config changes) ✅ Dashboard server
AI Analysis (optional, admin-triggered) Event metadata only (no frames) ⚙️ Customer-controlled LLM — local Ollama only in on-prem/OCI builds (no external calls)

AI Analysis is off by default and local-only on-prem

The optional AI Analysis feature summarizes event data with an LLM. It is disabled until an admin configures a provider, and sends event metadata only — never camera frames. On-prem / OCI deployments are locked to a local Ollama model (SCREENSTOP_LLM_LOCAL_ONLY), so no data leaves the tenancy. Cloud providers (Anthropic/OpenAI/Azure) are available only if a customer explicitly enables them.

Key points: - Camera frames are never uploaded in normal operation — only in Debug Mode (IT-controlled, per-station toggle) - Face recognition data is local only — never leaves the workstation - All agent → dashboard communication uses the configured HTTPS endpoint


Network Requirements

Agents initiate outbound-only connections. No inbound ports are required on workstations.

Source Destination Port Protocol Purpose
Agent (workstation) Dashboard server 443 (or configured port) HTTPS/TLS Event reporting, config sync, heartbeat
Admin browser Dashboard server 443 HTTPS/TLS Dashboard UI
Dashboard server SMTP server 587 (or configured) SMTP/TLS Email alerts (optional)
Dashboard server SIEM 514 (or configured) UDP or TCP CEF syslog forwarding (optional)

Agents do not open any listening ports. All communication is initiated outbound from the agent to the server.


System Requirements

macOS: - macOS 11.0 (Big Sur) or later - Intel or Apple Silicon - 2GB available disk space - Built-in or external webcam

Windows: - Windows 10/11 (64-bit) - 2GB available disk space - Built-in or external webcam