Thank you! However, could you please comment on underlying idea for not providing a such mechanism?

Because Endpoint is installed (and payed for) with a reason: Security. It usually is not acceptable for a company to have their staff disable Endpoint except for selected admins and to temporarily overcome emergency situations, so this is not a requested feature but would pose a security issue. If you want to disable Endpoint starting from next reboot, uninstall it. You may reinstall it later.

Thank you, but can't agree! Yes Security, but only and only when I do connect remotely to a company's servers, in my case. I do believe this option is inevitable 'cause not all users use their working machines as the company deems. 

See, that is it - sometimes it needs some force to prevent innocent users from exposing their working machines to malware threats. Having security when connected remotely to a company's servers will not help you at all if you are unable to connect because your data has been encrypted by malware already 8)

But you can always do the uninstall ! Or reboot the Mac with special keys pressed so no kernel extensions are loaded - this will also disable EPS.

Still do believe, this option should be available. Secure connection to remote server as well as malware protection should be tinkerer within each organization, because typically users can’t remotely cannot to a company’s servers until Endpoint is enable.

The Mac VPN client is considered an Endpoint offering, which at minimum includes a firewall, and is sold/licensed that way.
I presume why you don't want this to run at startup is you prefer not to have the firewall there unless you're connected to the VPN, correct?

Correct! No firewall is needed at the start up at all. Endpoint is required for remote connection to a company’s servers only where Endpoint serves astute one of the main core elements of remote connection. The rest of the time I use my laptop on my own.

Why not stay with the Enterprise VPN Client using Desktop Policy only when connected ? EPS Client seems much too much for you 8)

Well, it’s not required. I keep all docs in cloud where upload and download channel is fully encrypted. Additionally, I have hard drive data full encryption enabled too. Neither I visit any unknown website, nor install apps out of App Store. In simple words, just avoid any chances to be hijacked.