That is an excellent feature request to include in the Duo Policy Engine.
While it is not possible to achieve this in that manner at this time, we do have customers restricting enrollment to internal networks using a combination of the Policy Engine and our Device Management Portal.
The first thing that you will need to do is to stand up our Device Management Portal on a non-internet exposed web server.
Next, you will want to take a look at your Duo Policy. The most important policy option for this scenario is the New User Policy. What you will want is to create an Application Policy for your new Device Management Portal integration that has the New User Policy set to Require Enrollment.
After getting that setup, you will want to to change any other Application Policies as well as your Global Policy. If you are looking to restrict enrollment to the internal networks where users can access the Device Management Portal, all other New User Policies should be set to Deny acccess
Once you make this change, you will be all set to post the URL for the new portal anywhere you’d like internally.
Hope this helps!