Manual device enrollment?

We’d like to use Zero Trust Access to allow users to access servers via RDP from approved devices only.

Is there a way to manually approve device enrollments? We only want users to access from pre-approved devices, not from any other device.

We could use a certificate, but not sure how to tie this in to the enrollment and access policies (for RDP).

I’ll add that we looked at serial numbers (described in However, some of our devices just return “System Serial Number” as the SN. I don’t see a way to restrict by Device ID.