[ZT] Device enrollment policy flow (#20680)

* new Access policy flow

* minor wording tweak

Author: ranbel

src/content/partials/cloudflare-one/warp/service-token-enrollment.mdx

@@ -11,13 +11,15 @@ import { Tabs, TabItem } from '~/components';
 
 2. Copy the token's **Client ID** and **Client Secret**.
 
-3. In your [device enrollment permissions](/cloudflare-one/connections/connect-devices/warp/deployment/device-enrollment/#set-device-enrollment-permissions), create the following policy:
+3. Go to **Access** > **Policies** and create the following policy:
 
    | Rule Action  | Rule type | Selector      | Value          |
    | ------------ | --------- | ------------- | -------------- |
    | Service Auth | Include   | Service Token | `<TOKEN-NAME>` |
 
-4. In your MDM [deployment parameters](/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/parameters/), add the following fields:
+		 Make sure to set **Action** to _Service Auth_ instead of _Allow_.
+4. Add the Access policy to your [device enrollment permissions](/cloudflare-one/connections/connect-devices/warp/deployment/device-enrollment/#set-device-enrollment-permissions).
+5. In your MDM [deployment parameters](/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/parameters/), add the following fields:
    * `auth_client_id`: The **Client ID** of your service token.
    * `auth_client_secret`: The **Client Secret** of your service token.