A Summer Cutover: Inside One District's Cisco Umbrella Replacement Across Every Campus

The CISO had a yellow Post-it stuck to her monitor with one date written on it. That date was the first day of school. Everything between the last bell of the previous year and that morning was the only window she had to run a Cisco Umbrella replacement across a campus footprint that spanned a large enterprise district, a five-figure device fleet, and a takehome program that touched almost every student.

Nobody wanted a vendor swap mid-semester. So the question wasn't whether to replace Umbrella. It was whether the entire change could happen, end to end, without bumping into the calendar.

Quick read

• Industry: Education
• Replaced: Cisco Umbrella
• Deployed: dope.SWG + CASB Neural

Pre-summer: the audit that made the calendar non-negotiable

Months before the change window opened, the team ran an internal audit that surfaced what everyone already suspected. DNS filtering wasn't catching what it was supposed to catch on encrypted traffic. Students were reaching content that should have been blocked because the categorization decision was happening at the lookup layer, not the session layer. The board didn't need a 90-page report. They needed a yes/no on whether the web filter actually inspects HTTPS, and the honest answer was no.

That audit set the timeline. The team needed an inspection-grade secure web gateway, deployed across every campus, before classes resumed. They started a structured eval against a short list. The team grounded the technical case in the case for replacing Cisco Umbrella in 2026, shared the framing with the assistant superintendent, and got a green light to pilot.

The pilot itself was small but deliberate: a single campus, two device types, real classroom traffic on a summer school cohort. The team also wanted to see what an on-device proxy SWG looked like in practice compared to the DNS-plus-roaming-client pattern they'd been living inside.

The summer change window: rollout, wave by wave

The cutover started the Monday after graduation. The team broke the district into rollout waves grouped by MDM hierarchy rather than geography, because that's how policies actually propagate in a K-12 environment.

Wave one was administrative laptops, where a missed block doesn't break a classroom. Wave two was staff devices, including the laptops that traveled home with teachers planning the new curriculum. Wave three was the student fleet, by far the largest, and the one with the takehome program attached. CASB Neural was layered in starting wave two, because the district's cloud drive tenant had years of external shares that nobody had ever audited.

The on-device proxy was the part that made the calendar work. There was no per-campus appliance to provision, no DNS forwarder to flip, no per-site change request to file with facilities. Policy lived on the device. As soon as MDM pushed the agent, the device was protected, whether it was sitting in a classroom or on a teacher's kitchen table.

The thing I kept telling the board was that we weren't buying a different DNS resolver. We were buying a different architecture. Once you understand that the inspection happens on the laptop, the whole calendar opens up, because you stop thinking in terms of network sites and start thinking in terms of devices.

- CISO, a large enterprise education organization

By the midpoint of the window, the operations team was running through the wave list ahead of schedule. The CISO kept a copy of the 14-day migration playbook pinned in the team channel as a reference, less because they needed every step and more because it set the tempo the team was actually hitting.

First week of school: what the bell test looked like

The bell test is what the network team called it. First period, first day, first bell. Either the policy holds or it doesn't, and you find out in about ninety seconds.

It held. Classroom devices loaded the policies they were supposed to load. Takehome devices that students brought back from summer still had policy enforced from the moment they signed in. The team ran spot checks on encrypted traffic across categories that Umbrella had been silently missing, and the inspection coverage matched what the pilot promised. The Wednesday after the start of school, the CISO emailed the cabinet a one-paragraph status update with no caveats.

The closer parallel the district found was another mid-market education team that walked through the same Umbrella displacement. Different size band, same architecture moment.

The support team behind the calendar

A summer cutover at this scale needs a vendor that actually answers when the question comes in. The district had a shared channel with named engineers from dope.security's 24/7 white glove global support team, and the questions that came up across the change window (an MDM scope question on a Sunday night, a CASB Neural policy clarification on a holiday Tuesday) got answered in minutes, not in tickets. The team running the cutover never had to repeat themselves to a Tier 1 agent reading from a script. That mattered when the calendar didn't have any slack in it.

What changed by the end of the first month

• HTTPS inspection coverage went from partial to near-complete across the device fleet.
• Off-network takehome devices held policy without a separate roaming client to manage.
• The annual licensing line came in at a meaningful percentage below the Umbrella renewal projection.
• CASB Neural surfaced an external-share inventory in the district's cloud drives that the team didn't know existed.
• Cabinet-level reporting on web filter posture moved from "mostly compliant" to a clean yes.

FAQ

Q: Can a multi-campus district really complete a Cisco Umbrella replacement inside a single summer?

Yes, if the agent is push-deployable via MDM and the architecture doesn't require per-site infrastructure. dope.SWG fits both, which is why the rollout collapses into MDM waves instead of campus-by-campus appliance work. Most education teams complete the change inside the standard summer change window.

Q: How does dope.security handle takehome devices that leave the district network?

Policy enforcement happens on the device itself. There's no separate roaming client trying to catch up with the cloud, and there's no DNS-only shortcut. A Chromebook or laptop that leaves the building still has full SSL inspection applied wherever it sits.

Q: What's the surprise win for K-12 teams that add CASB Neural during the migration?

It's almost always the external-share inventory. Years of "share this doc with a parent" or "share this folder with a vendor" actions add up, and most districts have no central view of what's currently exposed. CASB Neural produces that view in the first week.

About dope.security

dope.security, the Distributed On-device Proxy Endpoint, is the preferred security vendor for security leaders across SMBs, midsize enterprises, Fortune 500 companies, and the world's top VC and PE firms. Deployed in 83 countries, dope.security protects web, data, and AI traffic globally through its patented fly-direct architecture.