v2.0.0 — Full Endpoint DLP
Release date: March 2026
What's New
v2.0 completes the Full Endpoint DLP story — identity-aware control over all three physical data exit points:
| Exit Point | Protection |
|---|---|
| Screen | Blur on unauthorized viewer (v1.x) |
| USB | Eject unless authorized person present (new) |
| Cancel job unless authorized person present (new) |
Plus: Audit Mode — silent monitoring with no blocking, for safe rollouts.
New Features
Audit Mode
Run ScreenStop in observe-only mode. Every detection fires and is logged to the dashboard, but no action is taken — no lock, no blur, no USB eject, no print cancel.
Configured per department in the Dashboard → Audit & Capture Policy.
Recommended deployment workflow:
- Enable Audit Mode on all departments
- Run for 1–2 weeks, review events in the dashboard
- Tune detection sensitivity as needed
- Disable Audit Mode to go live with enforcement
USB Protection
Automatically ejects USB storage drives when an unauthorized person (or no one) is at the workstation.
usb_blocked— USB ejected (enforcement mode)usb_detected— USB seen but not ejected (Audit Mode)
Configured per department in the Dashboard → Endpoint DLP.
Print Protection
Cancels print jobs when an unauthorized person (or no one) is at the workstation.
print_blocked— job cancelled (enforcement mode)print_detected— job seen but not cancelled (Audit Mode)
Configured per department in the Dashboard → Endpoint DLP.
Capture Mode (Department Policy)
IT can push a department-wide policy to save detection snapshots to local disk on every station. Useful for compliance evidence retention.
Saved to detections/ folder on the station. Last 100 images kept (auto-cleanup).
Configured per department in the Dashboard → Audit & Capture Policy.
Security Hardening
Station API Token (C1)
All sync and event endpoints now require a Bearer token. Stations are configured via setup_parameters.json:
Set STATION_API_TOKEN in the server environment. If unset, the server operates in open/demo mode.
Secret Key Enforcement (C2)
The dashboard server refuses to start if DASHBOARD_SECRET_KEY is not set in the environment. The deploy script generates a random key automatically.
Path Traversal Fix (C4)
device_id values are now validated on receipt — only alphanumeric characters, dots, dashes, and underscores are accepted. Malformed IDs return HTTP 400.
Upgrade Notes
- Dashboard redeployment required — new department config endpoints, new event types
- Station rebuild required —
peripherals.py(USB/Print),AUDIT_MODEflag,CAPTURE_MODEflag - Set
STATION_API_TOKENin server environment andDASHBOARD_API_TOKENinsetup_parameters.jsonon all stations before deploying to production - Assign stations to departments in the Dashboard before configuring Endpoint DLP policy