Admin Guide

Dashboard overview

The admin dashboard gives you real-time visibility into all AI interactions across your organization. Access it at http://SERVER-IP:8081 (port configurable via BLEEP_WEB_PORT). For LAN deployments, start the server with --bind 0.0.0.0.

• Dashboard - Detection trends, active devices, recent alerts, overview statistics
• Devices - Connected endpoints, status, last seen time, seat management
• Violations - Full audit log of all detected sensitive data events
• Policies - Detection patterns and enforcement rules
• Discovery - Which AI services are being accessed by your organization
• Destinations - Managed list of monitored domains (AI, collaboration, code sharing, etc.)
• Settings - Organization config and license management

Operating modes

Bleep supports three modes. Default is Enforcing. Change via BLEEP_MODE or the config file.

Start with Warning mode during initial rollout to understand traffic patterns before switching to Enforcing.

Detection patterns

Bleep ships with 6 built-in detection patterns plus automatic file scanning (images via OCR, PDFs, Office documents, and text files). All are enabled by default and configurable in the Policies page.

Additional features: response inspection, entropy-based secret detection - all enabled by default.

Destinations

Bleep monitors traffic to configured destination categories. The built-in configuration covers 800+ domains across 17 categories. The main groups:

• AI Services (High risk) - ChatGPT, Claude, Gemini, Copilot, Cursor, DeepSeek, Midjourney, and many more
• Collaboration (Medium risk) - Slack, Discord, Teams, Telegram
• Code Sharing (High risk) - Pastebin, GitHub Gist, CodePen
• Email (Medium risk) - Gmail, Outlook, Yahoo, ProtonMail
• Custom - Add your own organization-specific destinations

Manage from the Destinations page. AI Services, Collaboration, Code Sharing, and Email are enabled by default. Custom is disabled by default.

MCP & AI agents: Tools like Claude Desktop, Cursor, Windsurf, and Cline connect to AI APIs over HTTPS. Bleep intercepts these connections automatically — no MCP server configuration needed.

Device management

Each device running Bleep appears in the Devices page. Devices register on first license validation and are tracked via heartbeat.

• View devices - All connected endpoints, OS, version, last heartbeat
• Monitor status - Track which devices are online based on heartbeat
• Seat tracking - Usage across all active devices vs. license limit
• Instance binding - License is bound to its first instance; use rebind to transfer
• Revoke seat - Sends an unenroll command to the device and immediately revokes the seat. The device stops its proxy and restores system settings.

Device tiers

Group devices by department or role to apply different policies per group. Create tiers (e.g., Engineering, Sales, Executives) on the Devices page with a name and color. Assign devices to tiers individually or in bulk.

• Create tiers - Click "+ Add Tier" on the Devices page. Choose a name, description, and color.
• Assign devices - Use the Tier dropdown in each device's row, or select multiple devices for bulk assignment.
• Tier-based policies - When creating a policy rule, select specific tiers from the "Device Tiers" dropdown. Policies with "All Tiers" (default) apply to every device.
• Filter by tier - Use the device filter dropdown to view only devices in a specific tier.

Example: Create a "Block code sharing for Sales" policy with action Block, destination category "code_sharing", and device tier "Sales". Engineering devices will be unaffected.

License enforcement

The admin server validates its license via heartbeat every hour.

When a license expires or is revoked

• The admin server stops its local proxy
• A stop_proxy command is broadcast to all enrolled devices
• New seat creation, enrollment, and tokens are blocked (403)
• Device sync responses include license_valid: false

Offline grace period

If the admin server cannot reach the cloud for validation, a 7-day grace period allows continued operation. After 7 days without verification, the proxy stops on all devices. This persists across restarts.

Instance conflict

If the same license key is activated on a different server, the old server automatically stops its proxy and sends a change_server_url command to redirect all enrolled devices to the new server. The license rebinds automatically — no manual intervention required.

Policy configuration

Policies determine how Bleep responds when sensitive data is detected. Each policy rule matches on conditions (severity, pattern tags, destination category, and device tier) and assigns an action. Configure from the Policies page in the dashboard.

Custom redaction styles

By default, Bleep replaces detected sensitive data with [REDACTED]. You can configure per-pattern and per-blocklist-item redaction styles for more context-aware replacements.

Three modes are available:

Configuration:

• In the Pattern editor, select a Redaction Style from the dropdown after setting severity
• For blocklist items, configure the style when adding a new item
• Patterns without a custom style default to [REDACTED]
• Enterprise: redaction styles sync to endpoints via device sync

Audit logs

Every detection event is recorded. Access from Violations in the dashboard. Each entry includes:

• Timestamp and device identifier
• Detection pattern that triggered
• Action taken (blocked, redacted, warned, logged)
• Destination AI service
• Severity level

The actual sensitive data content is never stored in audit logs. Only metadata about the detection is recorded.

Server migration & resilience

Bleep handles three migration scenarios for the admin server. In all cases, enrolled endpoint devices redirect automatically — no manual reconfiguration on each device.

Scenario 1: IP or hostname change (data intact)

If the server's IP address or hostname changes but the data is intact, simply start the server on the new address. The server's license heartbeat reports the new URL to the cloud. Devices that can't reach the old address will automatically query the cloud after ~3 minutes, discover the new URL, and reconnect.

Scenario 2: New machine (data transfer)

Export an encrypted backup from the old server (Settings → Backup & Restore → Export). On the new server, the Setup Wizard offers "Restore from backup" — upload the .bleep-backup file and enter the backup password. All data, CA certificates, policies, and configurations are restored. A new instance ID is generated, and you'll need to re-enter your license key to activate the new server. Devices redirect automatically via cloud relay.

Scenario 3: Disaster recovery

Enable scheduled backups (daily or weekly) in Settings. Backups are encrypted with AES-256. If the server is lost, deploy a fresh instance, restore from the most recent backup via the Setup Wizard, and re-enter your license key. Old backups are auto-pruned based on your retention settings.

How devices redirect

Two mechanisms ensure devices find the new server:

• Cloud relay — after ~3 minutes of failed sync attempts, endpoints query the cloud for the current server URL. If it differs from their enrollment, they update and reconnect. Fully automatic, no admin action needed.
• Remote redirect command — when a license conflict is detected (new server activated), the old server sends change_server_url commands to all enrolled devices as a fallback.

Policy cache

Endpoint apps cache server policies locally. If the server is temporarily unreachable, endpoints continue protecting with the last known policies. Corrupt caches are automatically discarded and replaced with built-in defaults until the next sync.