Don't reset user VPN without reason

When DPM.setAlwaysOnVpn is called with package=null, it resets
any VPN configured by the user. With this change it won't happen
anymore: it will only reset VPN configuration if it was previously
configured by the admin.

If an admin actually wants to remove any user configured VPN, they
can enforce DISALLOW_CONFIG_VPN restriction which will remove any
user VPNs and will prevent the user from configuring a new one.

+ Also make sure that when the DPC removes an always-on VPN
configuration, the package loses ability to start VPN until the
user authorizes it again.

Bug: 139823667
Test: atest com.android.server.devicepolicy.DevicePolicyManagerTest
Change-Id: Ia703015b4e8d7eaf156358d7eb000d6f58d32238