HomeTechOps

Devices & Setup

Work-from-home failure plan

The goal is not a perfect office. It is a short, safe plan that keeps a bad morning from becoming a pile of random resets.

Who this is for

Home operators in 2026 running corporate VPN + Microsoft Entra Conditional Access + Teams/Zoom calls + a USB-C dock + cloud storage from a primary home internet line that occasionally fails mid-workday — and who need a calm first-15-minutes triage flow that preserves the immediate meeting and doesn't pin down EDR/CAE re-auth cascades by panicking the network reset button.

Outcome

A workflow that splits Wi-Fi-vs-Internet in the first 60 seconds, knows the CGNAT cost of every cellular fallback (T-Mobile / Starlink / Verizon all default to CGNAT — inbound services break, outbound VPN traverses fine), accounts for Microsoft Entra Continuous Access Evaluation re-auth windows (Teams/SPO ~15 min, Exchange 35-40 min) so a hotspot pivot doesn't look like a broken VPN, and recovers from the 2026-specific traps: Windows 11 25H2 KB5083769 BitLocker recovery loop, the 25H2 dock display-detection regression addressed by the May 2026 cumulative (KB5089549 — confirm you're patched), macOS Tahoe NSAutoFillHeuristicController CPU pin causing cursor lag, WireGuard signing freeze blocking Mullvad/IVPN driver updates, DisplayLink Manager 16.0 for M5 Mac dock support, Continuity Camera broken on iOS/iPadOS 26.3.

Required inputs

  • Primary device classification: personal, work-managed (Intune / Workspace ONE / Jamf), or BYOD with corp MDM. Determines which troubleshooting actions are policy-safe vs which will trigger an EDR escalation.
  • Fallback internet kit on standby: phone hotspot capability (data plan + tethering allowed), secondary line (T-Mobile 5G Home gateway, Starlink Mini, Verizon 5G Home, AT&T Internet Air, eSIM data plan like Airalo or GigSky). Note which fallbacks are CGNAT — all consumer cellular and most fixed-wireless defaults are.
  • USB-C dock + cable inventory: a known-good USB-IF certified cable (EMARK chip) as swap-in, primary monitor + DisplayPort/HDMI cable, headset (USB + Bluetooth as failover), webcam if not using laptop built-in.
  • UPS coverage for laptop + router + ONT to bridge a 15-30 min outage; pure-sine output for Active-PFC PSUs in modern desktops; LiFePO4 portable power station hybrid (EcoFlow DELTA 2, Bluetti AC180) acceptable for laptop loads despite 20-30 ms EPS transfer time.
  • Meeting platform reality: Zoom 5.17+ compute-resource thresholds, Microsoft Teams 2.0 client (Win11 25H2 known sign-in failures via KB5079473), Google Meet AV1 codec for 1080p. Known camera/mic permission state on the device.
GuideFollow in order

Step-by-step procedure

1

Run the 60-second Wi-Fi-vs-Internet split BEFORE touching the router

Do: Do not reset the router as the first action — that's a 3-5 min outage on top of the existing one. Triage in this order: (1) Does your phone show full Wi-Fi bars on the home SSID? If yes, Wi-Fi is up — the problem is upstream or device-only. (2) Open a phone browser tab to `https://1.1.1.1` — does it load? If no, internet is the problem (not Wi-Fi). (3) Connect the work laptop to phone hotspot — does VPN reconnect cleanly? If yes, the home internet is the problem; pivot to fallback. (4) If laptop works on hotspot but other devices don't work on home Wi-Fi, the home Wi-Fi-vs-WAN split is confirmed and you can pivot the meeting first, fix later. DO NOT reset the router until you've confirmed multiple devices fail together — single-device failure is a device problem, not a network problem.

Expected result: Within 60 seconds, you know whether the problem is (a) home Wi-Fi only, (b) home internet (WAN), (c) work laptop / VPN / EDR, or (d) the meeting app/platform. The meeting decision (stay on home, pivot to hotspot, reschedule) follows from the diagnosis.

If not: If symptom is ambiguous — phone works on Wi-Fi but laptop doesn't — check captive portal status via `http://www.msftconnecttest.com/connecttest.txt`; aggressive DoH or pre-portal VPN clients suppress the banner and look like 'internet broken'. See internet works on phone not laptop for the full split.

2

Pivot to cellular fallback knowing the CGNAT cost

Do: Cellular fallback gets the meeting back; it doesn't preserve inbound services. Every consumer carrier defaults to CGNAT in 2026: T-Mobile Home Internet all tiers, Starlink Residential/Roam default (Priority plan needed for public IPv4), Verizon 5G Home behind their NAT, AT&T Internet Air behind NAT. Effect: outbound VPN tunnels traverse fine (corporate VPN, Tailscale outbound) but inbound services break (port forwards, self-hosted services, Plex direct-connect). iOS Personal Hotspot: if carrier detects tethering and throttles, set client default TTL to 65 (Win: `netsh int ipv4 set global defaultcurhoplimit=65`; macOS: `sysctl -w net.inet.ip.ttl=65`). Android USB tethering is ~25% faster than Wi-Fi hotspot, lower latency, phone charges in-flight — preferred for single-device meetings. eSIM fallback: GigSky has a 100 MB / 7-day free trial (no card); Airalo unlimited plans are full-speed up to ~3 GB/day then ~1 Mbps. Watch out for Microsoft Entra CAE re-auth: the IP change from Wi-Fi → hotspot triggers Continuous Access Evaluation. Teams/SharePoint re-auths in ~15 min, Exchange Online in 35-40 min. This looks like 'VPN works but Outlook keeps prompting' — it's the conditional access state, not a broken VPN.

Expected result: Meeting restored within 5 min. CAE re-auth completes for Teams within 15 min, Exchange within 40 min. Sign-in prompts during that window are expected, not a sign of broken VPN.

If not: If VPN works but corporate apps loop on Entra sign-in for >45 min, the conditional access policy may be blocking the new network location. Capture the exact error and contact IT — bypassing the VPN won't help; the policy gate is at the identity layer, not the network layer.

3

Respect the managed-device boundary — do not bypass EDR or VPN during an outage

Do: If the device is work-managed (Intune-joined / hybrid-joined / Entra-joined / MDM-enrolled), the EDR (CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint, Sophos) is non-negotiable. The CrowdStrike July 2024 outage memory: 8.5M Windows machines BSOD'd from Channel File 291 mismatch. Post-incident, all major EDR vendors moved to staged Rapid Response Content rollouts with customer-controlled delivery rings. IT teams in 2026 are slower to revert EDR changes than they used to be. What this means during a workday outage: (1) Do NOT disable the VPN, EDR, or firewall to 'see if that fixes it' — the conditional access policy almost certainly blocks the app re-login if the device isn't compliant. (2) Do NOT use the local admin password to disable services — that triggers a separate compliance alert. (3) Capture exact errors (screenshot + log) and pivot the meeting to phone or another device while IT investigates. (4) BitLocker recovery prompts during a workday outage (after a dock/USB change) are typically from boot-list changes (Win11 25H2 KB5083769 April 2026 default-On 'Boot Support for USB-C/TBT' + 'Preboot for TBT'). Have your BitLocker recovery key from the Microsoft account ready before changing dock state.

Expected result: Managed-device boundary respected. No EDR / VPN bypass attempted. Errors documented for IT. Meeting pivoted to alternate device or phone audio.

If not: If Microsoft Teams 2.0 shows 'You'll need the Internet for this' even when online (Win11 25H2 KB5079473 March 2026 sign-in failure), the registry workaround is `DisableCapiOverrideForRSA = 0`. If AVD/W365 WebRTC video/screen-share fails on 25H2 build 26100.6725+, check UAC — must be enabled.

4

Recover dock / display / camera failures without panicking the whole workstation

Do: Don't reboot the laptop as the first action — workday-relevant state is volatile. Triage dock failures in this order: (1) Re-seat the USB-C cable at both ends — EMARK chip failures cause silent downgrade to 5V/3A regardless of charger (37% of non-certified cables have EMARK issues). Symptom: dock disconnects under draw (camera + monitor + charging at the same time). (2) Try a known-good USB-IF certified cable (kept in the fallback kit). (3) Check the Windows 11 25H2 patch level — some operators report dock display-detection problems ('We didn't find another display') after the May 2026 cumulative updates (KB5089549, builds 26100.8457/26200.8457), which also fix the earlier BitLocker recovery loop. If a recent 25H2 update lines up with the symptom, try a separate DisplayPort or HDMI run direct to the laptop. (4) macOS Tahoe + DisplayLink: install DisplayLink Manager 16.0 (April 3, 2026 release) for M5 MacBook support; 15.1 fixed cursor/stylus lag on Tahoe. (5) Tahoe systemwide cursor lag on non-DisplayLink monitors: kill `NSAutoFillHeuristicController` (Activity Monitor → search → kill) or restart loginwindow if it pins a CPU core. (6) Continuity Camera broken on iOS/iPadOS 26.3 Beta 3 (iPhone 17 family, iPad Pro M5); on M1 Mac mini + iPhone 16 Pro Max wireless, sometimes requires an external webcam dongle plugged in as a 'kick'. Common fixes: disable AirPlay Receiver, quit VPN clients, restart Bluetooth.

Expected result: Dock failure isolated to cable, EDID negotiation, a recent 25H2 update, or DisplayLink driver — and the meeting either continues on direct-connect display or pivots to laptop screen + audio only.

If not: If the dock issue is persistent across cables and reboots, see USB-C dock monitor not detected, HDMI monitor flickers through dock, or USB-C cable not working for the full triage path. Some Thunderbolt 5 (Intel JHL9580 Barlow Ridge) docks shipped with unstable early firmware — Dell, Kensington, OWC all run rapid firmware updates.

5

Use UPS / portable power station to bridge the meeting through a power event

Do: NERC 2025-26 Winter Reliability Assessment flags WECC Northwest, WECC Basin, ERCOT, US Southeast, US Northeast, and Canadian Maritime for elevated shortfall risk in extreme cold; long-term winter peak projected up 65% by 2035. Build the UPS plan around 'finish the meeting' (15-30 min) for laptop + router + ONT (~150-200W total): a 600-1000 VA pure-sine UPS loaded at 40-60% of nameplate gets there. LiFePO4 portable power station hybrid (EcoFlow DELTA 2 — 30 ms EPS transfer time, near-silent fans idle; Bluetti AC180 — 1152 Wh / 1800 W, 20 ms transfer) bridges laptop + docked monitor through multi-hour outages but the transfer time is too slow for bare desktops with strict PSU hold-up. Active-PFC PSU + simulated-sine UPS = silent failure — verify pure-sine output spec for any modern NAS, gaming desktop, or Synology Plus/XS+ model. Critical: laser printers, microwaves, hair dryers must NEVER be on UPS battery outlets — fuser pulls 400-1000W in sub-second spikes that trip overload and can damage cheaper UPSes.

Expected result: Laptop + router + ONT survives a 15-30 min outage. UPS load is measured (Kill-A-Watt or UPS LCD) and matches expectations within 5W. No Active-PFC PSU dropouts during a test-pull.

If not: If UPS runtime is shorter than expected, see UPS load planning for sizing math, battery-age derating (year-3 lead-acid loses ~30%), and NAS auto-shutdown integration.

6

Document the failure window, then schedule the root-cause fix off the clock

Do: After the meeting is preserved, capture the failure record in a single note: time of failure, affected devices, VPN state, router/UPS state, exact error text (screenshot if possible), meeting platform (Zoom 5.17+ thresholds; Teams 2.0 sign-in errors; Google Meet codec), what changed immediately before. Note CAE re-auth windows: if Teams worked again at minute 14 and Outlook at minute 38, that's the expected CAE behavior — not a flaky VPN. Don't troubleshoot the root cause during the workday: stacking 5 changes during a meeting window loses the original symptom and can't be reverted cleanly. Schedule the deep dive for end-of-day or weekend with the matching runbook: Wi-Fi room walk, VPN/local split, dock display, webcam, printer, or UPS load. The CrowdStrike memory: post-incident IT teams are slower to apply EDR changes; if you suspect the EDR is the problem, get it documented through IT, not bypassed.

Expected result: Failure window is documented with enough specifics that the root-cause fix can target one layer. Meeting completed; deep-dive scheduled.

If not: If the same failure recurs the next workday, escalate to IT (for managed devices) or to the matching V2 fix runbook before changing five things at once.

Commands and settings paths

Wi-Fi-vs-Internet split (phone test)

Phone browser > https://1.1.1.1

Where: Phone connected to home Wi-Fi (NOT cellular).

Expected: Page loads = Wi-Fi up + WAN up. Page fails = either Wi-Fi is up but WAN is down (home internet outage) or device-specific cellular fallback activated. Compare to phone browser on cellular to disambiguate.

Failure means: If 1.1.1.1 fails on Wi-Fi but succeeds on cellular, home internet (WAN) is down — pivot to fallback, don't reset router. If 1.1.1.1 fails on both, phone has a separate problem.

Safe next step: Pivot work laptop to phone hotspot for the meeting. Schedule home internet root-cause for after the meeting.

Windows captive portal status

PowerShell > Invoke-WebRequest -Uri http://www.msftconnecttest.com/connecttest.txt -UseBasicParsing

Where: Windows 11 laptop on the suspect network.

Expected: Body = 'Microsoft Connect Test'; StatusCode = 200. Anything else (redirect, timeout) = captive portal active or DNS hijack.

Failure means: Captive portal is intercepting. Aggressive DoH or pre-portal VPN clients suppress the banner — looks like 'internet broken'.

Safe next step: Open a plain HTTP page in browser to trigger captive portal; complete the captive portal flow before reconnecting VPN.

CGNAT detection on fallback connection

curl ifconfig.me (or Invoke-WebRequest ifconfig.me -UseBasicParsing)

Where: Client behind the cellular/5G/Starlink fallback gateway.

Expected: Real public IPv4 (NOT in 100.64.0.0/10). T-Mobile / Starlink / Verizon / AT&T cellular all default to CGNAT in 100.64.0.0/10.

Failure means: Result in 100.64.0.0/10 = CGNAT. Outbound VPN works, but any inbound port-forward or self-hosted service won't be reachable.

Safe next step: If inbound services matter mid-day, use Tailscale Funnel or Cloudflare Tunnel rather than waiting for fallback to a non-CGNAT path.

Microsoft Entra CAE state

Microsoft 365 admin center > Sign-in logs > filter on user > look for 'Continuous access evaluation' result

Where: IT admin or self-service (some tenants).

Expected: After network IP change, expect 'Token revoked due to network location change' followed by a re-issue within Teams ~15 min / Exchange 35-40 min.

Failure means: If re-issue fails repeatedly, the new network's IP is outside the Conditional Access trusted-network list, or the device compliance state changed (BitLocker, Defender, EDR posture).

Safe next step: Capture the sign-in log entry and escalate to IT. Don't bypass VPN — the gate is at identity, not network.

Windows 11 25H2 dock display detection

Settings > System > Display > Detect (Win+P > Extend)

Where: Windows 11 25H2 laptop with USB-C dock.

Expected: Connected monitor detected within 5 seconds. Some 25H2 hosts hit 'We didn't find another display' on a USB-C dock — confirm you're patched to the May 2026 cumulative (KB5089549, builds 26100.8457/26200.8457) or later; workaround: direct DisplayPort/HDMI from laptop.

Failure means: If the monitor still isn't detected on a fully-patched 25H2 build, suspect the dock display path. Try a known-good USB-IF certified cable; if still failing, route direct-attach DP/HDMI for the meeting.

Safe next step: After the meeting, install dock firmware updates (Dell, Kensington, OWC all push firmware monthly for TB5 Barlow Ridge JHL9580 docks).

macOS Tahoe DisplayLink + cursor lag check

About This Mac > More Info > System Report > Software > Installations > DisplayLink Manager

Where: Mac on macOS Tahoe (26.x) with DisplayLink-driven external monitor.

Expected: DisplayLink Manager 16.0 (April 3, 2026) or later for M5 MacBook support and Tahoe stability. Activity Monitor shouldn't show NSAutoFillHeuristicController pinning a CPU core.

Failure means: If on DisplayLink Manager pre-16.0, cursor/stylus lag is expected on Tahoe. If NSAutoFillHeuristicController is pinning a core, systemwide cursor lag affects all monitors — kill the process or restart loginwindow.

Safe next step: Download DisplayLink Manager 16.0 from Synaptics. For autofill lag, restart loginwindow once and check whether the pin recurs.

Evidence to record

  • Time of failure + duration; which devices failed together (phone + laptop + tablet vs only laptop).
  • VPN state (connected / disconnected / re-auth loop), EDR state, captive portal banner state.
  • Router/UPS state: load watts, battery age, last self-test, runtime estimate.
  • Meeting platform + exact error text + screenshot.
  • Fallback used (phone hotspot Wi-Fi or USB tethering, 5G home gateway, Starlink, eSIM) + whether it worked.
  • CGNAT status of the fallback (`curl ifconfig.me`; if 100.64.0.0/10, no inbound).
  • Microsoft Entra CAE re-auth windows observed (Teams ~15 min, Exchange 35-40 min — confirms CAE not VPN failure).
  • Dock/display/cable state — which cable, KB5089549 status, DisplayLink Manager version, BitLocker recovery prompts.

Common mistakes

  • Resetting the router as the first response to ANY connectivity issue — that's a 3-5 min outage on top of the existing one and destroys the symptom. Run the 60-second Wi-Fi-vs-Internet split first.
  • Bypassing the corporate VPN or EDR to 'see if that fixes it' — Microsoft Entra Conditional Access locks down the app login on any non-compliant device state. Disabling Defender / Falcon / SentinelOne mid-meeting triggers a compliance alert + locks the user out further.
  • Treating Entra CAE re-auth windows as broken VPN — Teams/SharePoint re-auths in ~15 min after a network change, Exchange Online in 35-40 min. Sign-in prompts during that window are expected, not a fault. Don't escalate to IT until past 45 min.
  • Pivoting to cellular fallback without knowing CGNAT cost — T-Mobile / Starlink / Verizon / AT&T cellular all default to CGNAT. Outbound VPN works; inbound port-forwarded services and self-hosted Plex/Jellyfin/Tailscale-Funnel do not. Plan inbound services around tunnels, not port-forwards.
  • Setting iOS Personal Hotspot TTL workarounds without checking carrier policy — TTL=65 workaround sidesteps carrier tethering detection but the carrier's plan may still block tethering at the SIM-policy layer. Verify your plan allows hotspot before relying on it for a workday outage.
  • Choosing Wi-Fi hotspot over Android USB tethering — USB tethering is ~25% faster, lower latency, and charges the phone in-flight. Wi-Fi hotspot is only needed when multiple devices share the tether.
  • Putting a laser printer / microwave / hair dryer / space heater on the UPS battery outlet — fuser pulls 400-1000W in sub-second spikes, trips UPS overload, often damages cheaper UPSes. Surge-only for high-draw appliances.
  • Using a simulated-sine UPS with an Active-PFC PSU — the PSU sees the zero-crossing notch as a brownout and drops out the instant grid power fails. Verify 'pure sine wave' on the UPS spec sheet.
  • Trusting EMARK chip integrity in non-USB-IF-certified cables — 37% of non-certified USB-C cables have EMARK issues. When the chip fails, the cable silently downgrades to 5V/3A regardless of charger — dock disconnects under draw. Keep a known-good USB-IF certified cable in the fallback kit.
  • Installing the latest Windows 11 25H2 update on a meeting day — KB5083769 (April 2026) triggered BitLocker recovery loops, and some operators report USB-C dock display-detection problems lining up with month-of-release 25H2 updates. Hold off on month-of-release Patch Tuesday updates if a critical meeting is the same day.
  • Ignoring WireGuard signing-account freeze on Windows — March 2026 Microsoft dev-account suspension blocks signed WireGuard kernel-driver updates for Mullvad / IVPN / AzireVPN on Windows. Userspace tun fallback works but is slower; plan around it during the freeze window.
  • Forgetting to upgrade DisplayLink Manager on Tahoe — DisplayLink Manager 16.0 (April 3, 2026) is the validated Tahoe + M5 MacBook build. Pre-16.0 versions have cursor/stylus lag. Separate macOS Tahoe NSAutoFillHeuristicController CPU-pin bug affects ALL monitors regardless of DisplayLink — kill the process or restart loginwindow.
  • Stacking 5 changes during a workday meeting window — original symptom is lost, can't be reverted cleanly, and the EDR may flag the cluster as suspicious behavior. Pivot the meeting first; deep-dive the root cause off the clock.

Stop points

  • Stop before bypassing work-managed VPN, EDR (CrowdStrike Falcon, SentinelOne, Defender for Endpoint, Sophos), firewall, certificate, or BitLocker recovery — those are identity/compliance policies, not network knobs.
  • Stop before factory-resetting the router or a managed work laptop mid-workday — both lose state that's hard to recover within the meeting window.
  • Stop before plugging laser printers, microwaves, hair dryers, or space heaters into the UPS battery outlet — high-draw devices trip overload and can damage the UPS.
  • Stop before swapping cables, docks, or chargers on a non-USB-IF-certified product mid-meeting — silent EMARK downgrades or bent CC-pin shorts (driving 20V onto VCONN) have killed Thunderbolt 5 controllers.
  • Stop before submitting CGNAT-bound port-forward requests to IT — the gate is at the carrier NAT layer, not the home router or VPN.

Last reviewed

2026-05-06

Source-backed checks

HomeTechOps turns official docs and conservative safety rules into a shorter runbook. These links are the source trail for the page direction.

T-Mobile: 5G Home Internet plans and CGNAT behaviorUsed for T-Mobile Home Internet 2026 reality: CGNAT default on all tiers, no port forwarding, no UPnP, 1.2 TB Heavy Data User threshold.Starlink Mini: hardware, plans, and roam coverageUsed for Starlink Mini 2026 pricing/plans: $199 hardware, Roam 100 ($55), Roam 300 GB ($80, May 2026), Roam Unlimited ($175), CGNAT default.Tailscale: Pricing v4 (April 8, 2026)Used for the April 2026 Tailscale pricing change: free Personal plan = 6 users + unlimited user devices, 50 tagged resources, exit nodes free on all tiers.Cloudflare One: account limits (Tunnel free-tier caps)Used for Cloudflare Tunnel free-tier reality: 100 MB file-upload cap; WARP personal is unlimited bandwidth free; custom domain needed for persistent URLs.Microsoft Entra: Continuous Access Evaluation (CAE)Used for the network-location change re-auth behavior: Teams/SPO ~15 min IP enforcement, Exchange Online 35-40 min — the cause of post-hotspot 'VPN works but Outlook reauth loops'.Windows Central: KB5083769 April 2026 BitLocker recovery loopUsed for the Windows 11 25H2 April 2026 update BitLocker recovery-prompt bug, partially fixed by KB5089549; mitigation involves disabling 'Preboot for TBT' in firmware.TechCrunch: WireGuard developer locked out of Microsoft signing account (April 2026)Used for the March 2026 Microsoft dev-account suspension freezing WireGuard kernel-driver signed updates for Mullvad/IVPN/AzireVPN on Windows; userspace tun fallback is slower.iTech4Mac: macOS Tahoe NSAutoFillHeuristicController CPU lag fixUsed for the macOS Tahoe 26.2/26.3 NSAutoFillHeuristicController loop pinning one CPU core at 100% — manifests as systemwide cursor lag including on DisplayLink.Wikipedia: 2024 CrowdStrike-related IT outagesUsed as the institutional-memory reference: 8.5M Windows machines BSOD'd; Channel File 291 field mismatch in CSagent.sys kernel driver. Explains why EDR change windows are slower to revert in 2026.Microsoft Learn: Captive portals in WindowsUsed for the Windows captive-portal probe (http://www.msftconnecttest.com/connecttest.txt); DoH and pre-portal VPN clients suppress the banner — silent-failure mode on hotel/coworking hotspots.Eleven Forum: KB5089549 cumulative update build notes (May 12, 2026)Used for the build numbers (26100.8457 / 26200.8457) that fix the 25H2 dock device-loss-on-resume bug, plus the known 0x800f0922 install failure on devices with <10MB free EFI partition.DisplayLink: Extreme mouse lag after Tahoe 26 updateUsed for the Tahoe 26.1 DisplayLink cursor-lag regression — the workaround when Apple Silicon native display count is exhausted and DisplayLink is the only path to additional monitors.Synaptics: DisplayLink Manager 15.1 release notes (Feb 2026)Used for the partial fix (pen/stylus input on macOS 26) and the requirement to fully uninstall old DisplayLink drivers before installing 15.1.NERC: 2025-2026 Winter Reliability AssessmentUsed for the structural-shift framing that winter peak demand is rising 65% over 2026-2035 driven by heat-pump electrification, with ERCOT/WECC Northwest/Northeast at elevated risk.Microsoft Support: Camera doesn't work in WindowsUsed for camera privacy permissions, app isolation, driver checks, and manufacturer-driver cautions.