Vision Pro Mac Display Mirroring with VPN

I kept coming across this thread when trying to find work-arounds for connecting to my work Cisco AnyConnect VPN without disconnecting from the Mac Virtual Display on my Apple Vision Pro. Maybe this will help others.

I tried changing the config on the AirPlay ports (mentioned in other replies here), but Cisco AnyConnect (4.9) VPN didn’t allow this. Since the Cisco client is distributed by my company, I cannot upgrade to 5.x.

What worked for me was to create a UTM virtual machine (macOS Sonoma, https://mac.getutm.app/) on my personal MacBook Pro (M3 Max, but should work on all Apple silicon MBPs), and I installed the Cisco client + MS Remote Desktop on the virtual machine. My MacBook Pro maintains local access and shares internet access with the virtual machine. The VM registers the network access as Ethernet, and the VPN manages these ports.

Now when I’m using my Apple Vision Pro and Mac Virtual Display, and I want to use the VPN to access my work machine, I start the Virtual Machine on my MacBook, connect the VPN, and then remote in to my work PC. The Mac Virtual Display remains connected to the Apple Vision Pro.

Virtual Machine installation

1. Download UTM for Mac (on your main computer)
2. Downloaded Install macOS Sonoma from Apple App Store (on main computer), but cancel out of the installation process the first chance you get. https://apps.apple.com/us/app/macos-sonoma/id6450717509?mt=12
3. Install UTM for Mac (on main computer) https://mac.getutm.app/
4. Create Virtual Machine with Install macOS Sonoma (after it downloads from the App Store on your main computer, it will be in your Applications folder)
5. skip connecting the virtual machine to any Apple account, and skip everything you possibly can
6. start VM and install Cisco client from your company
7. install beta version of MS Remote Desktop (since Apple App Store doesn’t work without being logged in) https://install.appcenter.ms/orgs/rdmacios-k2vy/apps/microsoft-remote-desktop-for-mac/distribution_groups/all-users-of-microsoft-remote-desktop-for-mac

Notes on Configuration of Virtual Machine

I configured the VM with 4gb of RAM and 50 gb of disk space, but I’ll probably reduce these in the future since the VM has one job: connect to my work PC through the VPN. I only lose this RAM from the main machine when the VM is running. Additionally, I uninstalled every app I could, and set Cisco and MS Remote Desktop to run on startup to reduce mouse clicks. I set Cisco to start the VPN when the app starts as well. In the VM macOS User settings, I set it to log in automatically (without a password).

You'll need to discuss this with the IT team managing the VPN as a starting point, as VPNs can be configured to block local traffic. Your organization's IT team may well then open a case at the Cisco TAC, and ask them to sort this out.

The VPN client will need to allow specific local traffic, and a whole lot of the VPNs I've worked with are set to block all but specified local traffic, or not route that traffic locally, and there's usually ~no way to get an AirPlay connection traveling from Vision Pro through the VPN and all the way back to the Mac as the AirPlay display.

Here are ports used by AirPlay: TCP and UDP ports used by Apple software products - Apple Support

On no evidence, I'd guess that one or more of TCP 80, TCP 443, TCP and UDP 554, TCP 3869, or UDP 5353 is getting blocked—or mis-routed—by the VPN.

mikefromenglewood wrote:

How would I figure out what IP addresses each device is using to do the AirPlay? Their documentation doesn't say anything about it needing to be on the same WiFi network, even. Does it just use an ad hoc connection?

I’d expect it usualy uses either local staric DNS, or mDNS / Bonjour traffic to identify the target host IP address.

At the command line, use dns-sd to view the mDNS data, or use the command line ping and send a ping to the subnet multicast address (which will usually provoke everything to answer, then figure out what is what), or poke in the arp data, the local Wi-Fi router or AP might have a lookup tool in its UI (Ubiquiti gear is really good at this), or look up the IP network settings in Settings on each device. I sometimes use the Discovery DNS-SD browser app on macOS for this, too.

suppose one would have to use vpn on the headset too, otherwise they are not on the same network

vpn makes the mac tunnel it's communication across the internet to be on the same network as the vpn server

mikefromenglewood wrote:

I am the IT person in charge of the VPN, haha.

I'd suggest opening a case with Cisco TAC, then. This is the sort of thing that TAC exists to resolve.

If you somehow don't have Cisco support, either get that support, or traceroute the network paths for the cited ports, both to and from the Mac.

A VPN fundamentally alters network routing. That is how the VPN works. It alters the network routing, and quite possibly also blocks some of the network traffic. This can involve network traffic to the Mac, or network traffic from the Mac too, as IP connections don’t necessarily use the same network path to get packets to the remote host as they might use to get packets from the remote host. Put differently, getting packets to the target host is half the “fun” involved, while getting the packet responses back from the host is the rest.

Your options here:

… Call the Cisco TAC.

… Learning more about IP networking and VPNs and troubleshooting than you had probably intended.

One has to make sure the vpn do not router the ports required by mirroring or it would not work

TCP and UDP ports used by Apple software products - Apple Support

So you replaced the Cisco AnyConnect VPN with the OpenConnect VPN client? Okay.

The built-in Apple VPN client or the OpenVPN client might be other VPN options, then.