You can either edit the existing, default DeviceCert system policy, or you can create a new DeviceCert policy. Latter is recommended.