Manual device enrollment?

We’d like to use Zero Trust Access to allow users to access servers via RDP from approved devices only.

Is there a way to manually approve device enrollments? We only want users to access from pre-approved devices, not from any other device.

We could use a certificate, but not sure how to tie this in to the enrollment and access policies (for RDP).

I’ll add that we looked at serial numbers (described in https://blog.cloudflare.com/zero-trust-with-managed-devices). However, some of our devices just return “System Serial Number” as the SN. I don’t see a way to restrict by Device ID.