If the framework takes the responsibility of starting the VPN connection, and since it is MDM-controlled, how will the user be able to connect to the VPN if a time-out or networking error occurs?

Note — This answer for the VPN Services only

This use case can be handled by either the VPN client, implementing the auto-retry API or throwing a notification to the user which allows the user to retry the connection. Note that this is applicable only for networking related errors like time out or server not reachable.