Getting Started

Deployment Guide

System requirements, setup, and network configuration

System requirements

Minimum

Windows 10 / macOS 12 / Ubuntu 22.04
4 GB RAM
200 MB disk space
Internet connection

Individual setup

The Individual plan runs as a standalone desktop application. No server or IT infrastructure required.

Download the installer from your dashboard (Windows .msi/.exe, macOS .dmg (coming soon), or Linux .AppImage/.deb/.rpm)
Run the installer and follow the setup process
Sign in with your email (one-time code) or enter your license key directly (format: LIC-XXXX-XXXX-XXXX-XXXX)
Install the CA certificate (required for HTTPS inspection of AI traffic)
Bleep starts protecting - runs in your system tray

Team deployment

Team plans include a centralized admin server for policy management and monitoring. The admin server runs on your infrastructure via Docker. It uses a local SQLite database — no external database server required. All data stays on your infrastructure.

Admin server setup (Docker)

Set your license key and start the server:

BLEEP_LICENSE_KEY=LIC-XXXX-XXXX-XXXX-XXXX docker-compose up -d

Replace LIC-XXXX-XXXX-XXXX-XXXX with your license key from the Licenses page. The dashboard defaults to port 8081 — override with BLEEP_WEB_PORT if needed.

Direct setup (no Docker)

Run the admin server directly with Python. Use --bind to make it accessible on your network:

python -m bleep --server-only --web-port 8081 --bind 0.0.0.0

By default the server listens on 127.0.0.1 (localhost). The --bind 0.0.0.0 flag makes it listen on all interfaces so other machines can connect. Docker deployments handle this via port mapping.

Open the dashboard at http://YOUR-SERVER-IP:8081. Use the server's LAN IP so employee machines can reach it.

Endpoint deployment

Deploy the endpoint app to team devices using your existing tools (SCCM, Intune, Jamf, etc.) or have users install manually.

Available as .msi (Windows), .dmg (macOS) (coming soon), .AppImage/.deb/.rpm (Linux)
Each endpoint requires a license key for activation
License is bound to the instance on first validation
Endpoint ports are managed from the admin dashboard and pushed to all devices automatically
After enrollment, assign devices to tiers (e.g., Engineering, Sales) for role-based policy targeting

Environment variables

Bleep can be configured via environment variables or a YAML config file (config.yaml).

Variable	Default	Description
BLEEP_LICENSE_KEY	-	License key (required)
BLEEP_WEB_PORT	8081	Dashboard & API port
BLEEP_BIND_HOST	127.0.0.1	Bind address - use `0.0.0.0` for LAN access
BLEEP_MODE	enforcing	Operating mode: `learning`, `warning`, or `enforcing`
BLEEP_SECRET_KEY	-	Session secret key (generate with `openssl rand -hex 32`)
BLEEP_SERVER_HOST	-	Server IP for enrollment links (set to your LAN/public IP in Docker)
BLEEP_DATA_DIR	/data	Data directory for SQLite database and logs
BLEEP_RETENTION_DAYS	90	Violation retention period in days
BLEEP_LICENSE_API_URL	(built-in)	License API URL override

Network configuration

Firewall rules

Bleep needs outbound HTTPS access for license validation and updates:

Service	Destination	Port
License validation	*.supabase.co	443
Updates & downloads	*.supabase.co	443
AI services (proxied)	See destinations config	443

Local ports

All bind to 127.0.0.1 by default. Use --bind 0.0.0.0 to accept connections from other devices. All ports are configurable.

Port	Purpose	Notes
8081	Web dashboard	Admin UI and API (admin server)
8080	HTTP/HTTPS proxy	Endpoint apps only — AI traffic routed via PAC
18080	PAC file server	Endpoint apps only — serves proxy.pac for selective routing

Only AI traffic is routed through the proxy via PAC-based selective routing. All other traffic goes direct. For team deployments, endpoint ports are managed centrally from the admin dashboard.

Quick Start Admin Guide