Suggested by Stewart Tranter – New
It should not be possible to make changes in any other environment than a Sandbox environment. The Prod envronment should re read only for customisations.
Make all non-sandbox environments read only to force development in Sandbox envionments.
The exception to this is for tenants which only have 1 environment.