It depends on the GP toolkit you are going to use to manage the applets and cards. Each toolkit have their own approaches. You can use open source or freeware GP toolkits (i.e. GlobalPlatformPro, GPShell,
pyApdutoolkit) where you have to manually set the keys and decide how you want to derive them.
GlobalPlatformPro gives you access to a CLI interface or you can build a proprietary toolkit on top of GlobalPlatformPro by adding GlobalPlatformPro as a library dependency and then setup a HSM or smartcard to store your master key(s) and use the open source library API to utilize GlobalPlatformPro to derive your card keys and inject them into the card. This is very manual but this is open source project.
GPShell only offers command line toolkit so you have to write scripts manually to derive your own card keys (domain keys) and populate the card.
PyAPDUToolKit is a GUI tool for most part and I am not aware of any API that
pyApdutoolkit offers to allow you to build your own toolkit on top of
pyApdutoolKit.
If you are using NXP JCOP or Infineon's own proprietary toolkits, its a completely different world there. They offer "vaults" for you to create your own keystore and different automated approaches to populate your cards. The downside is you need to sign NDA with NXP and/or Infineon if you are using their proprietary developer environment and toolkits but they give you GUI and other convenience to diversify your keys and manage your keys for you. I should note that the GUI may require getting used to as I have used them before and decided to revert back to GlobalPlatformPro :S .
I have not mentioned ways to take a master key you have selected to diversify them using different types of key diversification methods. GlobalPlatformPro and may other tools may offer EMV KDF, VISA2 KDF and a whole different host of ways to diversify from a master key to an individual card key. You can even invent on your preferred diversifying method but this will require coding.
Essentially, there is no such thing as a 'right approach'. End of the day, when you communicate with your card over the SCP02/3 channel, you just need the correct card key to communicate and open a SCP channel. You can have a master key and then give your card a UUID or a CAN number which you use a secure hashing algorithm to derive via HMAC or some secure key derivation algorithm the card key using your own master key and the UUID/CAN and some version numbering you can invent.
Something like CardKey = HMAC(Hash=SHA256, Key=MasterKey..., CardID=YourCardID, CardIDVersion=VersionNum);
Then you change out the original card key with the new CardKey (i.e. GlobalPlatformPro offers the -lock option to change the card keys).
I do not go into specifics because different issuers and developers have different approaches so you will need to find your own approach. Either you have to conform to some specifications due to some project requirements or you are developing your own product or project will influence how you deploy your cards securely.