I tried a few things suggested, such as enabling the screen saver or screen blanker, but those did not solve the problem as they did not differentiate between the VNC session and the physical desktop session so applied equally (the only states that were valid were either both unlocked or both locked). Other options people suggested were to just turn the screen brightness all the way down. This is security through obscurity though (the display is still unlocked and anyone who can get to your mouse/keyboard could mess with your computer, they just would be blind to what's on the screen). It also seems problematic for usability (imagine you turn the brightness down and then come into the office the next day; how are you supposed to see the screen when you login if the brightness is still forced to the minimum?)
The solution I found that had the right security and usability properties was to use fast user switching + the Vine VNC Server. This enables you to have a different set of content on the physical display from what you see remotely on VNC. Unfortunately, fast user switching with the Apple VNC "Screen sharing" server doesn't work. It mirrors your display exactly to the VNC display so does not allow you to have separate physical and remote displays. I presume that's why it has a name like "Screen sharing". It's also not surprising that this doesn't quite work as well outside of the Apple monoculture.
- Download and install Vine VNC Server
- Enable Fast User Switching on the mac
- Connect to Vine VNC Server on OSX with any VNC client (e.g. on port 5901). I configure Vine to require SSH so it doesn't listen to any remote port and requires SSH port tunneling to use it. Less attack surface.
- Go to the fast user switching menu and select "Login Window..." When you do this, the physical display will change to the login screen but the VNC window will remain unlocked and functional, as desired.
|Enable fast user switching on OSX Mavericks|
|Switch to login screen|