graphenegrotto If I did build this myself using the build guide. Would / Should the verifiedBootKey still match one of the official GrapheneOS verified boot keys, for the selfsigned case?
To quote the GrapheneOS build guide:
The signing process for release builds is done after completing builds and replaces the dm-verity trees, apk signatures, etc. and can only be reproduced with access to the same private keys
The guide suggests that if you don't generate your own signing keys then the build process will use the public Android test key (I haven't looked). Perhaps your security admin could temporarily enable the public test key as a root for verified boot? Or you could generate your own, which would need to be trusted by your admin.
Please note that I am super not an expert! You may be better off on the Matrix channel. I'd suggest you begin with the goal, something like, "I am trying to convince my employer's security admin to configure MS InTune to trust official GrapheneOS builds, but I'm not confident I know the exact steps to request...".
Also note that if you do sign your own build then you must disable the automatic update client, because the official OTA images it fetches won't match your signing key, so you will uselessly load the update server.
Good luck, and keep us posted!