When a new user logs in, the default configurations sometimes are too permissive (no Lock App, etc). This is a weak link on the security of the platform.
E.g.: You configure your daughter’s phone correctly. She buys a new phone, logs back in, and all the configurations are back to square 1. Even worse, you never know if clients actually have the right configuration.
Ideally, the deploy should specify the settings to be adopted by a new logged in client.