How to Replace Cisco Umbrella in 14 Days: A Migration Playbook for IT Teams

If you've ever read a Cisco Umbrella migration plan from a partner, you know the cadence: discovery workshop, design phase, pilot, soft launch, hard launch, hyper-care. Three months on the calendar, half of it spent waiting on someone else.

The Cisco Umbrella replacement does not have to look like that. One Cisco Umbrella customer migrated 2,000 machines to dope.security in two days. Greylock Partners ran the evaluation and signed in 27 days from first touch. Outreach Health, a healthcare org with thousands of users, hit 99% device coverage in a week and cut web-access-related IT tickets by 70% in 90 days. (Outreach Health case study.)

Two weeks is realistic if you do the prep right. Here's the playbook we walk customers through.

Before you start: a 14-day plan assumes these things

This playbook assumes you have an MDM in place (Intune for Windows, Jamf or Intune for macOS), single sign-on through Microsoft Entra ID or Google Workspace, and a defined IT owner. Without those, add a week.

It also assumes you're replacing Cisco Umbrella with an agent-based Cisco Umbrella alternative. The math changes if the replacement is another cloud-proxy SWG, because then you're also re-architecting traffic routing and PAC files. We're going to use dope.security as the example because the deployment pattern is the one we know best. The structure of the playbook applies to any agent-based SWG.

If you want the full comparison of replacement options first, see Cisco Umbrella Alternatives in 2026: A Side-by-Side Comparison and the related pillar post Replacing Cisco Umbrella in 2026: Why DNS Filtering Stopped Being Enough.

Phase 1: Inventory and policy mapping (days 1–3)

This phase is unglamorous and it's where most migrations either save or lose time. Do it.

What you're documenting:

1. Cisco Umbrella SKU and component inventory. DNS-only, DNS Advantage, SIG Essentials, SIG Advantage. Whether you have the roaming client deployed. Whether Cisco Secure Client (formerly AnyConnect) is in the picture. Whether you use the Cisco Umbrella Reserved IP feature. Note: Cisco Umbrella Reserved IP and the Umbrella Roaming Client both have published end-of-life dates. If you're on the roaming client, software maintenance ended April 2, 2025, so plan accordingly.

2. Policy export. Pull your current category blocks, custom allow/block lists, destination lists, and bypass entries from the Cisco Umbrella dashboard. Most of these map cleanly to URL filtering policy in an agent-based SWG.

3. Identity provider integration. Confirm SSO will work from day one. dope.security supports SSO via OIDC with Microsoft and Google in the instant trial flow.

4. Endpoint scope. Mac and Windows counts, MDM enrollment status, exceptions (kiosks, build agents, dev VMs).

5. Bypass list. Specific apps or domains that need to skip inspection (some EDR/MDM vendors, conferencing software with strict cert pinning, legacy LOB apps). Build this list now, not at cutover.

6. The "things Cisco Umbrella doesn't see" list. This is the highest-value part of the discovery. Make a list of what you wish you could see and enforce that Cisco Umbrella can't, because the new SWG should pay for those gaps. HTTPS-inside content, file uploads, AI prompt content, personal ChatGPT/Claude logins on the same domain as your corporate tenant, MCP server traffic from AI tools running on developer laptops. (For the last one, see MCP Servers Are the New Shadow IT.)

Deliverable at end of phase 1: a one-page migration brief with current state, target state, and the named owner.

Phase 2: Pilot (days 4–7)

The pilot is small, instrumented, and short.

Pilot scope:

• 25–50 users across IT, security, and one business unit. Pick a mix of remote and in-office.

• One pilot group in your MDM. For Intune, an Entra ID group. For Jamf, a smart group.

• A communication template ready to send the pilot group on day 4.

Pilot mechanics:

1. Stand up the dope.console. Sign in with Google or Microsoft on the instant trial. You're in the console in minutes.

2. Import or rebuild the policy. Translate the Cisco Umbrella category list into URL filtering in dope.console. Most categories map one-to-one.

3. Enable on-device SSL inspection. This is the capability Cisco Umbrella DNS doesn't have at all and Cisco Umbrella SIG only has via backhaul. On dope.security it's on by default and it happens on the endpoint. For the architecture explanation, see On-Device TLS Inspection.

4. Push the agent via MDM. For Intune and Jamf, follow the MDM deployment playbook. Both flows are scripted and signed.

5. Run in monitor mode for 48 hours. Watch the URL filtering hit logs. Confirm your allow list and bypass list cover the actual workflow. Catch the apps your pilot users complained about that no one mentioned in the inventory.

6. Flip to enforce. End of day 7.

Don't extend the pilot past a week unless something in the logs tells you to. Most teams discover after 72 hours that there's nothing left to find.

Phase 3: Rollout (days 8–12)

This is the boring, fast part if phases 1 and 2 went well.

Rollout pattern:

• Day 8: Push to the rest of IT and all engineering. Same agent, same policy, broader MDM group.

• Day 9–10: Push to the largest user population in waves. We recommend three waves of roughly equal size. Most teams use existing org units in their MDM.

• Day 11–12: Catch the long tail. Contractors, kiosks, BYOD-with-MDM, the salesperson in Tokyo who's been on PTO.

What "ready for rollout" looks like:

• The agent is auto-deploying via MDM with no manual intervention.

• SSO works on the first try for new users.

• The block page and warn page are branded with your IT helpdesk contact.

• Your support team has a one-page runbook for "user X says the internet is broken." (Spoiler: it almost always is bypass list, not the SWG.)

Outreach Health hit 99% device coverage in a week using this pattern. The Cisco Umbrella customer that did 2,000 machines in two days collapsed phase 2 and phase 3 into one continuous rollout because the IT team was confident in the policy mapping. You can do that too if your discovery is solid.

Phase 4: Cutover and decom (days 13–14)

You don't really need two days for this. You need a checklist.

The cutover:

1. Disable the Cisco Umbrella roaming client on the new SWG group. If you used Cisco Secure Client with the roaming module, disable the Umbrella module in the client profile.

2. Repoint DNS. If you pointed corporate DNS at Cisco Umbrella, repoint to your normal resolver. Your new SWG doesn't need DNS hijack; it inspects on-device.

3. Confirm no users are still routing through Cisco. Cisco Umbrella's dashboard will show traffic dropping. If a small group is still showing up, MDM enrollment is the usual culprit.

4. Hold renewal. Don't auto-renew Cisco Umbrella in the middle of cutover. Most teams hold the existing license for 30 days as a fallback, then cancel.

The decom:

• Remove the Cisco Umbrella roaming client from MDM packages so it doesn't reinstall on a wipe.

• Remove the DNS server entries from group policy and MDM configuration.

• Archive the policy export from phase 1. You'll want it for audit.

• Notify the security team that DNS-only filtering is no longer the inspection surface. From this point forward, HTTPS visibility, Cloud Application Control, and DLP belong to the new SWG.

Common gotchas

A few patterns we see often enough to call them out:

• Certificate pinning in legacy apps. A small number of apps refuse SSL inspection because they pin a specific cert chain. Put them on the bypass list. This is the same answer you'd give for any SWG, including Cisco Umbrella SIG.

• Conferencing software latency complaints. If users complain that Zoom or Teams feels different, it's not the inspection. It's that they were used to a roaming client that was making different routing decisions. Confirm with a quick traceroute.

• The "we still need DNS filtering for guest Wi-Fi" objection. True, but it's a different problem. The guest network can keep a DNS resolver. Your corporate endpoints don't need it.

• The "Cisco gave us a bundled deal" objection. Run the math on what Cisco Umbrella SIG, the roaming client seats, and the AnyConnect add-on actually cost at renewal. Then compare to a single per-seat agent-based price. The Cisco Umbrella replacement usually wins on TCO inside 12 months.

What "done" looks like

At the end of day 14:

• Every managed endpoint is running the new SWG agent.

• Every URL request, including HTTPS, is being inspected on-device.

• Policy changes push from the cloud console to every endpoint in seconds.

• Cloud Application Control is restricting personal Microsoft, Google, ChatGPT, and Claude logins on sanctioned domains. (See Blocking Personal Claude Accounts.)

• The IT ticket queue is shorter, not longer. Outreach Health saw a 70% drop in web-access tickets inside 90 days.

• Cisco Umbrella has been removed from the endpoint, from the renewal calendar, and from the architecture diagram.

Ready to plan yours?

If you're ready to scope a Cisco Umbrella replacement, the instant trial is the fastest way to see on-device SSL inspection running against your own traffic. Or book a 20-minute working session and we'll walk the policy mapping for your environment in real time.

‍