I think you are looking for OVERALL what are best things to set as far as these settings?
and along with that, what it the BEST way to enforce them?
I agree that setting this at INSTALL time is optimal… but you can always have something fall thru the cracks (someone uses the WRONG clientsettings.cfg… they don’t use any clientsettings.cfg … etc). So if those are your goals, then first is to understand what each setting does. Then determine what people consider BEST practice, good example ( Patching practices ) by @jgstew and others if you read the post.
After this, you do want to put them clientsettings.cfg during your roll out. I have NOT seen the on the Mac where it does not pick these up, but could happen. So for various reasons you might want to ENFORCE your settings by creating a Fixlet that runs as a policy (not ending) to CHECK the settings on each endpoint, and adjust if not what you want.
Below is a simple example to start with (you can of course check ALL your settings, and update the missing ones)
Note that was just checking for a single thing, but we could add checks for all the settings we wish to enforce. My point here is that you WILL have one-offs during the install process, so why not enforce your BEST practices with a policy.