And again; I think that’s a bit of a separate issue. These devices shouldn’t be equipped with cameras, let alone have the camera monitored/accessible.
The actual activity happening on the device; running applications, what’s on screen/in storage, even it’s location (with informed notice of said tracking) sure. but there’s no need to monitor/access the camera regardless of how or where the device is used.
A simple piece of tape fixes this problem. (plus education to teach students why, ofc)
https://docs.pi-hole.net/guides/dns/cloudflared/
I use pihole+cloudflared to translate all DNS requests on my LAN to DoH requests. Regular DNS isn’t permitted to leave my network. (port 53 outbound is blocked)
Can’t redirect/modify/monitor DoH requests like you can plain DNS.