If you are using Cisco Umbrella primarily for DNS filtering and off-network enforcement, CleanBrowsing covers that same use case — including a roaming agent for Windows — at a fraction of the cost and without the enterprise complexity. And unlike Umbrella, the features you actually use day-to-day are included in every paid plan, not locked behind add-on tiers.

How Umbrella's Roaming Client Works

Umbrella's Roaming Client is a lightweight agent installed on Windows and macOS devices. When the device leaves your corporate network, the agent ensures DNS queries still route through Umbrella's resolvers, keeping your filtering policies active. Without it, off-network devices revert to whatever DNS their ISP or network assigns.

That approach works well in tightly managed enterprise environments. For smaller IT teams, MSPs managing multiple clients, and schools running mixed device fleets, maintaining and updating a roaming agent across every device adds overhead that is hard to justify if DNS filtering is all you need from Umbrella.

CleanBrowsing Has a Roaming Agent — And It Goes Further

The CleanBrowsing Windows app functions as a roaming agent in the same way Umbrella's does: it installs on Windows devices and keeps DNS queries routing through CleanBrowsing regardless of which Wi-Fi or cellular connection the device is using. But it does not stop there.

Where Umbrella's Roaming Client focuses on routing, the CleanBrowsing agent also hardens the device against the common ways users try to circumvent DNS filtering:

• Browser DoH lockdown: Chrome, Firefox, Edge, and Brave all have built-in encrypted DNS settings that let a browser bypass your network DNS entirely. The CleanBrowsing agent disables those browser-level DoH settings so there is no way to route around filtering by switching the browser's DNS provider.
• PIN protection: DNS settings on the device are locked behind a PIN. Without the PIN, a user cannot switch resolvers, disable filtering, or uninstall the agent. This is enforced at the application level, not just a policy flag that a local admin can flip.
• Enterprise PIN deployment: When deploying silently across a fleet via Intune, PDQ, or NinjaRMM, the PIN is set at install time using a command-line flag. Administrators control it centrally — end users never see it. See the Intune deployment guide for the full parameter set.

The result is a roaming agent that does what Umbrella's does, plus closes the bypass paths that typically get left open.

Coverage Beyond Windows and macOS

Umbrella's Roaming Client is primarily a Windows and macOS story. CleanBrowsing extends off-network enforcement to the full device fleet, including the mobile devices your team is using every day:

• iOS: The Apple DNS Configurator generates a .mobileconfig profile that installs system-wide DoH filtering on iPhones and iPads in one tap. The profile follows the device off any Wi-Fi network and applies on cellular. Users cannot remove it without a PIN.
• Android: The CleanBrowsing Android app enforces DNS filtering at the device level using Android's Private DNS and a hardened VPN tunnel as a fallback. It works on any Wi-Fi network and on cellular, with the same PIN-lock protection as the Windows app.
• macOS: Deploy a DNS configuration profile system-wide using the Apple DNS Configurator. The profile applies DoH filtering and follows the device off-network.
• Network-wide: Point your router's DNS to CleanBrowsing and every device on that network is covered — including IoT devices, smart TVs, and guest Wi-Fi — without touching them individually.

For organizations where staff use personal mobile devices or where BYOD is the norm, this matters. A policy that covers laptops but not phones leaves a gap that is easy to exploit.

And none of this is required. If your organization prefers to manage DNS natively — through a router setting, a GPO, an MDM profile, or a manual DNS configuration — CleanBrowsing works the same way. Every resolver supports both standard plaintext DNS and encrypted options (DoH, DoT, DNSCrypt). The apps and profiles add hardening and enforcement on top; they are not a prerequisite for filtering to work.

What's Included That Umbrella Charges Extra For

The bigger difference between CleanBrowsing and Umbrella is not the roaming agent — it is what comes with the plan you actually buy. Umbrella's feature set is split across tiers, with key capabilities held behind add-ons and upgrades. But the deeper issue is that you often do not know what you are getting or what it costs until you are already in a sales process where pricing is shaped by your organization's size, perceived budget, and volume. The quote changes based on who is asking.

CleanBrowsing does not work that way. Pricing is the same for everyone — a small school, an MSP, a mid-size business. Flat rates, published publicly, no negotiation, no tiers designed to extract more from larger buyers. Every paid plan includes the same core feature set:

How to Switch

1. Select a plan and create your account. Start at the WiFi & MSP plans page, pick the tier that fits your device count and number of client accounts, and sign up directly — no sales call, no quote process. Signup is self-service and takes a few minutes. Once your account is active, configure filter profiles to match your existing Umbrella policies. CleanBrowsing has 26 predefined content categories — map your current Umbrella category blocks to the equivalents and add any custom domains to your allow or block lists. If your organization requires a purchase order or invoice process rather than a credit card, we support that too — reach out to support@cleanbrowsing.org to get it set up.

2. Register your networks. Add your office IP addresses or IP ranges to CleanBrowsing. This ties on-network DNS queries to your account and filter profiles without requiring any agent on in-office devices.

3. Deploy off-network enforcement. Use the Windows app for managed Windows endpoints. Use DNS profiles for macOS, iOS, and Android. The MSP deployment checklist covers this in detail if you are managing multiple client environments.

4. Remove the Umbrella Roaming Client. Once CleanBrowsing is confirmed active on a device — verify with our DNS leak test — you can uninstall the Umbrella agent. Do this in batches and verify filtering is working before proceeding to the next group.

5. Update DNS settings on any network appliances. Firewalls, routers, and DHCP servers pointing to Umbrella's resolver IPs should be updated to CleanBrowsing's IPs. Current resolver addresses are listed in your dashboard under Networks.

Pricing — and Why We Just Tell You

Cisco Umbrella does not publish pricing publicly. Getting a quote requires a sales conversation. That is a deliberate friction point: it slows the evaluation process and puts you in a conversation before you know if the cost fits your budget. For smaller organizations and IT teams without a dedicated procurement process, that friction alone is enough to make evaluating Umbrella impractical.

CleanBrowsing publishes every plan, every price, on the WiFi & MSP plans page. You can sign up, configure profiles, and deploy to devices without talking to anyone. All plans include the same core feature set — profiles, 26 content categories, scheduling, SafeSearch, activity logs, and DoH/DoT/DNSCrypt. You pay for usage and account count, not for features.

For smaller organizations and individual deployments, per-device plans start at $75/year. See all plans.

See WiFi & MSP plans and sign up directly.

For organizations deploying to a larger fleet, the Windows roaming agent supports silent installation. Push the installer via Intune, PDQ, NinjaRMM, or any RMM using a single command with flags for your filter profile and PIN. Full documentation is at the Intune deployment guide. The same installer works for any RMM — you do not need to reconfigure anything per-tool.

One Honest Scope Note

Umbrella is a full Secure Internet Gateway with cloud firewall, SWG, and CASB capabilities bundled in. CleanBrowsing is a DNS filtering service. If your organization relies on Umbrella's web proxy, SSL inspection, or application-layer controls, CleanBrowsing covers the DNS filtering layer but not those additional capabilities.

For most small businesses, schools, and MSP clients, DNS filtering covers the majority of what they actually need from Umbrella — at a fraction of the cost and with less infrastructure to manage. If you are unsure whether DNS filtering alone covers your environment, get in touch and we can help you assess the gap.