Overview
ScreenStop runs as three components on each protected workstation:
| Component | Role |
|---|---|
| ScreenStopMain | Background daemon — camera detection, YOLO + InsightFace |
| ScreenStopMenu | Menu bar app — controls daemon, syncs config from dashboard |
| ScreenStopGUI | Control Center — local settings, face enrollment |
All three are installed together via the .pkg (macOS) or .exe (Windows) installer.
How it works
- ScreenStopMenu launches on login and starts ScreenStopMain
- The daemon captures frames from the webcam every ~1.4 seconds
- YOLO detects phones and persons; InsightFace identifies faces
- On a threat → the event is logged and sent to the dashboard; if the department is enforcing, the screen also locks/blurs
- All events are sent to the Dashboard in real time
- The Dashboard can push config changes back to stations
Deploys silent-first
New installs start in silent mode (the default General department): detection and events work immediately with no enforcement and no user disruption. You verify everything works, then enable enforcement deliberately. See Rollout / Going Live.
Data Flows
| Data | Stays on workstation | Sent to dashboard | Sent elsewhere |
|---|---|---|---|
| Camera frames (normal operation) | Never stored | Never sent | — |
| Camera frames (Capture Mode enabled) | ✅ Local disk only | ✗ | — |
| Camera frames (Debug Mode enabled) | ✗ | ✅ Live stream | — |
| Detection events (timestamp, type, confidence) | ✅ Log file | ✅ Dashboard DB | ✅ SIEM (if configured) |
| Face encodings | ✅ Local disk only | ✗ | — |
| Station config | ✅ AppData | ✅ Synced from dashboard | — |
| Admin actions (login, config changes) | — | ✅ Dashboard server | — |
| AI Analysis (optional, admin-triggered) | — | Event metadata only (no frames) | ⚙️ Customer-controlled LLM — local Ollama only in on-prem/OCI builds (no external calls) |
AI Analysis is off by default and local-only on-prem
The optional AI Analysis feature summarizes event data with an LLM. It is disabled until an admin configures a provider, and sends event metadata only — never camera frames. On-prem / OCI deployments are locked to a local Ollama model (SCREENSTOP_LLM_LOCAL_ONLY), so no data leaves the tenancy. Cloud providers (Anthropic/OpenAI/Azure) are available only if a customer explicitly enables them.
Key points: - Camera frames are never uploaded in normal operation — only in Debug Mode (IT-controlled, per-station toggle) - Face recognition data is local only — never leaves the workstation - All agent → dashboard communication uses the configured HTTPS endpoint
Network Requirements
Agents initiate outbound-only connections. No inbound ports are required on workstations.
| Source | Destination | Port | Protocol | Purpose |
|---|---|---|---|---|
| Agent (workstation) | Dashboard server | 443 (or configured port) | HTTPS/TLS | Event reporting, config sync, heartbeat |
| Admin browser | Dashboard server | 443 | HTTPS/TLS | Dashboard UI |
| Dashboard server | SMTP server | 587 (or configured) | SMTP/TLS | Email alerts (optional) |
| Dashboard server | SIEM | 514 (or configured) | UDP or TCP | CEF syslog forwarding (optional) |
Agents do not open any listening ports. All communication is initiated outbound from the agent to the server.
System Requirements
macOS: - macOS 11.0 (Big Sur) or later - Intel or Apple Silicon - 2GB available disk space - Built-in or external webcam
Windows: - Windows 10/11 (64-bit) - 2GB available disk space - Built-in or external webcam