Threema Work

FAQs

Introduction

Instant messaging is an immediate and effortless means for information exchange, and it has become an integral part of today’s business communication. Instant messaging simplifies communication, improves collaboration, expedites workflows, and increases productivity. It is the most popular communication tool.

Risks of conventional chat solutions

Many of the apps that are used for business purposes don’t meet legal data-privacy requirements. Often used under the radar as “shadow IT,” messengers like WhatsApp pose several risks:

  • Unrestricted access to user data (such as contacts, metadata, locations, etc.) must be granted
  • Third parties can gain access to this data
  • The encryption used in them is not verifiable
  • There is no means for administration and user management
  • Legal requirements are not met
  • There is no strict separation between personal and professional communication

To find out how Threema differs from WhatsApp in terms of security and data protection, please refer to this in-depth comparison.

In November 2021, the FZI Research Center for Information Technology in Karlsruhe, Germany, released a comprehensive legal study on the corporate use of messaging services as well as a compact practical guide (both in German), see blog post.

Threema Work offers all features expected from a professional business messenger. No other messenger offers a comparable level of security, metadata restraint, and confidentiality. Overview of key advantages:

Threema is trusted by millions. It is a cost-efficient and simple way to make the communication of your employees, partners, and customers secure, privacy-compliant, and professionally manageable.

Compare Threema Work with other business communication-tools in our comprehensive business-messenger comparison, and have a look at the in-depth comparison of Threema and WhatsApp.

Before the Threema Work app can be used, it must be activated using credentials:

  1. Log in at https://work.threema.ch/en/login, select a subscription, and set the credentials for your users in the “Credentials” section.
  2. On your mobile phone, download the free app “Threema Work” from the appropriate app store.
  3. Launch the Threema Work app, and enter the credentials you have defined in the first step above.

Watch our product demo to learn how to deploy the Threema Work app to your users and to get an overview of the management cockpit.

Threema Work is ideal for secure and efficient communication in medical institutions such as doctors’ offices, clinics, pharmacies, and it’s also perfectly suited for home care. Our business messenger allows your medical facility’s staff to exchange medical reports in a secure, efficient, and privacy-compliant manner.

To learn more, visit the healthcare subsite.

To transfer data when switching phones, you can either use Threema Safe or create a data backup. Please note, however, that not all backup types contain the same data. In the following documents, you will find detailed information about which backup to use in which situation:

Backups on Android
Backups on iOS

Threema Work is the ideal communication tool for almost every industry and sector, e.g., the retail sector, the automotive industry, tourism, industrial companies, and public authorities. Threema Work is also popular with the security and the healthcare sector and every other area where fast and secure information exchange is a top priority.

An overview of different use cases in a wide range of industries can be found in the Success Stories.

Thank you for your interest in testing the beta version of Threema Work. In order to participate in the beta program, it’s required that you have installed the regular Threema Work app and activated it using credentials.

Be sure to create a backup before installing the beta version!

If you want to leave the beta program and use the regular Threema Work version again, please contact support via “Settings > Beta Feedback” or at help at threema dot ch.

Features

Threema Work is available for Android and iOS and can also be used on tablets.

With the desktop app and the web client, Threema can also be used on desktop computers.

Threema Work provides all the features you expect from a state-of-the-art instant messenger for organizations

Basic app features

Special features

The Threema Work app is based on Threema’s consumer app and offers similar features. You can find out more about features and answers to general questions about the app in the Threema FAQs.

With the desktop app and the web client, you can conveniently chat from your computer without compromising security. You have full access to all chats, contacts, and media files.

The desktop app and the web client are available for both the Android and the iOS version of the Threema Work app.

Please note that a mobile device (on which the Threema Work app is present and activated using credentials) is required.

As of Threema Work 4.8.5k for iOS and due to restrictions on Apple’s part, the mobile app must be open in order for the desktop app / the web client to maintain a connection. Learn more…


With the beta version of Threema Work 2.0 for desktop, you’re able to chat from the computer even when the mobile device is turned off or not connected to the Internet. Learn more...

Version 2.0 of Threema Work’s desktop app is a major update that will not only introduce a completely redesigned user interface, but it will also be based on a totally new architecture. Thanks to multi-device functionality, this version of the desktop app no longer requires an active connection to the mobile device.

The beta version of Threema Work 2.0 for desktop allows iOS users to test the upcoming multi-device functionality ahead of time. iOS users can connect the Threema Work app for iOS with the beta version of Threema Work 2.0 installed on one computer and use them independently from each other.

How to Get the Beta Version of Threema Work 2.0 for Desktop

Please note that this is beta software that can be rough around the edges. Features are limited. Make sure to create a backup before you proceed. For known issues and limitations, please refer to this FAQ entry.

  1. Install and open the beta version of Threema Work 2.0 for desktop. (There is no browser version available for this beta version.)
  2. Follow the instructions on the screen to link your computer to your mobile device.

At the moment, the beta version of Threema Work 2.0 is only available for iOS, not for Android. In the future, support for multiple linked devices, including tablets and Android devices, is planned.

Just like messages, Threema Work’s voice, video, and group calls are end-to-end encrypted and thus tap-proof.

Neither a SIM card nor a phone number is required. This allows you to make voice, video, and group calls on tablets and iPads.

Required app version for voice calls:

  • Android: Threema Work 3.21k or above
  • iOS: Threema Work 3.0.1k or above

Required app version for video calls:

  • Android: Threema Work 4.41k or above
  • iOS: Threema Work 4.6.1k or above

Required app version for group calls:

  • Android: Threema Work 5.0.2k or above
  • iOS: Threema Work 5.6k or above

Threema calls can be completely disabled. You can also only disable group calls or only disable video calls without disabling voice calls.

Please find additional information here.

With the “off-hours policy,” Threema Work users only receive notifications during specified periods of time.

In the app, navigate to “Settings > Sound & Notifications > Do not disturb” (Android) or “Settings > Notifications > Off-Hours Policy” (iOS), and define your working hours. If the off-hours policy is enabled, no notifications for incoming text or voice messages will be displayed, and calls are automatically rejected.

A phone number is not required to use Threema Work. Threema Work can be used on devices without (or with multiple) SIM cards. You can even make Threema calls without a SIM card.

Threema Broadcast is the tool for versatile, secure, and straightforward top-down communications.

  • Use feeds and distribution lists to send messages to any number of recipients, and turn Threema into a powerful newsletter channel. While users can subscribe to and unsubscribe from feeds, you manage the recipients of distribution lists yourself.
  • With bots, you can create interactive information-retrieval systems that allow your users to quickly get the answers they are looking for.
  • Manage central group chats together with any number of co-administrators, and participate in the group discussion right from your PC.

Threema Broadcast is included in the Professional price plan. The number of Broadcast recipients corresponds to the number of Professional licenses. For Example: If you have 80 Professional licenses, there are 80 Threema Broadcast recipients available.

Learn in our Threema Broadcast demo how to create and set up centrally managed groups, bots, and feeds.

With Threema Gateway, Threema can be integrated into existing software applications. This allows companies and organizations to send, receive, and process Threema messages using their own software. Threema Gateway can be used for various purposes – the possibilities are virtually endless. Here are some real-world examples:

  • Userlike enables companies to communicate with customers and employees using various channels, including Threema.
  • Corona Radar, a service by Whappodo, allows Threema users to retrieve regional Corona stats right in the Threema app.
  • IncaMail, Swiss Post’s secure email service, uses Threema Gateway to forward encrypted emails. For example, payslips can be received not only as secure email but also as Threema message.
  • With a plugin, Threema can be used for two-factor authentication in the forum software xenForo.
  • Whappodo, which also supports Threema, is a solution for customer care and broadcasting via instant messenger.

Besides the above-mentioned xenForo plugin, there are many other Open Source projects that use Threema Gateway, e.g., Grafana and Mattermost.

To learn more, please visit the Threema Gateway website.

Security & Privacy

Threema is trusted by millions and known for its unparalleled security and privacy protection. No other messenger offers a comparable level of security, metadata restraint, and confidentiality.

  • Top-grade end-to-end encryption of the entire communication.
  • Strong encryption on users’ devices: Chats and messages are stored with strong encryption on the device.
  • Decentralized handling: No central storage of personal data.
  • Company-owned hardware in Switzerland: Threema GmbH runs its own servers in data centers of an ISO 27001-certified collocation partner.

Details about the encryption, key-pair management, physical data security, data protection laws, and other security advantages of our decentralized architecture are summarized in the Security and Privacy Reference Sheet.

The Threema Work apps are open source, and the Cryptography Whitepaper contains comprehensive information about Threema’s technical architecture. Furthermore, external experts audit Threema on a regular basis.

Compare Threema Work with other business communication-tools in our comprehensive business-messenger comparison, and have a look at the in-depth comparison of Threema and WhatsApp.

We don’t require a data-processing agreement, but we provide a standard agreement. Individual agreements are not possible.

If your company requires that chats are stored externally for auditing or reporting purposes, you can ask users to export chats.

Due to the end-to-end encryption, it’s not possible to create transcripts using the management cockpit or the API.

App users can retrieve the information listed below at any time (by following the instructions listed in this FAQ article).

Details about the Threema ID

  • Public key
  • Timestamp of creation
  • Hash of the linked phone number
  • Hash of the linked email address
  • Presence of a revocation password (yes/no)
  • Nickname

App details

  • Timestamp of the last licence check
  • Version number and language
  • Bitmask of features supported by the version in use
  • Push token of the service in use (GCM/FCM, APNS)
  • Name of the chosen sound file for push messages

Values of the following configuration settings

  • th_firstname
  • th_lastname
  • th_category
  • th_csi
  • th_nickname

Purchase & Order

There are three price plans available for Threema Work, which differ in their features and services. A detailed comparison of these price plans is available here.

You can switch to a subscription that offers more features by clicking “Upgrade” in the management cockpit at any time.

If you wish to downgrade your subscription, please contact our support before the current subscription period expires.

You can switch to a sucscription that offers more features by clicking “Upgrade” in the management cockpit

You can try out Threema Work free of charge for one month with 30 users. Set up a trial subscription without obligation.

If you would like to convert your free trial into a regular subscription in order to keep the trial’s credentials and settings, please proceed as follows:

  1. Log in to your Threema Work admin account
  2. In the subscription overview, select the trial you wish to convert
  3. In the trial’s management cockpit, navigate to “Overview”, and click “Buy now!”
  4. Specify the desired number of users, select your preferred currency, and click “Next”
  5. Select the preferred payment option, and follow the on-screen instructions to complete the order process

Important

If you accept an offer instead of converting your trial into a regular subscription, a new subscription will be created, and you will have to manually transfer your trial users to the newly created subscription.

The subscription term is twelve months and will be automatically extended for another year unless duly terminated. Please refer to the Terms of Service for details.

Billing address in Switzerland and Lichtenstein
The statutory value added tax (VAT) of 8.1% is applied to all invoices.

Billing address in the European Union
In accordance with EU law, the invoice does not include VAT if you register your legal entity’s VAT Reg No in the admin account or provide it afterward:

Management-Cockpit

In this case, the reverse-charge regulation applies and the tax liability transfers to the recipient of services.

If the VAT Reg No is not stored in the profile, the country-specific VAT must be billed in addition to the purchase amount.

Billing address in other countries
Depending on the local law, the recipient of the service is liable to pay the VAT and, if applicable, declare the import of the service to the relevant tax authority. Please consult your local tax authority for binding information.

When subscriptions are automatically renewed, an automated email is sent, which also contains a URL directly to the invoice. The following invoice details can be added or adjusted after calling up the URL:

  • VAT Reg No (with this information the VAT is omitted on quotations and invoices)
  • Currency
  • Payment method
  • Address
  • Order details (supplier no. of Threema GmbH with you, your order number, cost centre, requesteretc.)
  • Additional information below the invoice items

Administrators with an appropriate authorization can open all invoices at any time by clicking on the corresponding order at https://work.threema.ch/en/order.

Tips:

  • It is best to set the preferred currency in the settings:

    Management-Cockpit
  • Which persons should automatically receive an invoice can be set at https://work.threema.ch/en/manage/user-index: Grant the required access authorization and configure the notification settings accordingly:

    Management-Cockpit
Course of actionAvailability of licenses
Wire transferYou will receive an invoice via email, payable within 30 days.Upon receipt of payment
Credit cardPay with MasterCard or Visa. You will be redirected to Datatrans for the payment.Immediately
PayPalYou will be redirected to PayPal. A PayPal fee of 5% applies. Any refunds will be issued to your PayPal account.Immediately
BitcoinPay anonymously with Bitcoin.Immediately

Apart from the license costs, the use of Threema Work does not involve any other fees. All price plans include guaranteed availability, technical support, and software updates for all platforms.

Online prices

The prices indicated on the Threema Work website are online prices. The Terms of Service apply.

Individual agreements such as changes to our standard data-processing agreement, individual contracts as well as technical or legal questionnaires or documents are examined solely against payment of the administrative and legal expenses. Please contact us if an individual service agreement is required.

Threema supports nonprofit organizations, schools, and other educational institutions in their endeavor to increase privacy protection. Eligible organizations* benefit from preferential terms.

  • Threema Education: Special offer for public educational institutions. Learn more…
  • Nonprofit organizations: 30% discount on Threema Work. Contact us…

*) Threema reserves the right to review an organization’s eligibility at any time; if the eligibility criteria are not met, the discount will be withdrawn.

Licensing

Each app instance requires an individual license. If Threema Work is used on multiple mobile devices at the same time, a separate license is required for each device (cf. Terms of Service).

To use Threema Work on your desktop, a mobile device on which Threema Work is installed is required; however, no additional license is necessary. Find out more about the new desktop app, which can be tested with Threema Work for iOS, on this page.

Handling

  • A Threema ID cannot be used on multiple mobile devices (or in Threema and Threema Work) at the same time.
  • Per app, only one ID can be used at a time.
  • An email address or phone number can only be linked to one Threema ID at a time. Linking the sameemail address or phone number to different Threema IDs is not possible.

Threema Work is tailored to the needs of organizations and intended for corporate use. For personal use, we recommend the standard Threema version.

To receive a quotation, log in to your admin account, and navigate to Quotations/Invoices > Quotations.

If you don’t have a Threema Work account yet, please register for free and without any obligation.

Rollout & Deployment

You can deploy the Threema Work app manually or by using an MDM or EMM system:

  1. Manual deployment: unmanaged devices (without MDM)
    Manual deployment is straightforward. After the users have downloaded the free Threema Work app from the appropriate app store, they enter the credentials you have provided, and the app is ready for use. Learn more…
  2. Deployment via MDM system
    If you deploy the Threema Work app via MDM system, the credentials for the app’s activation are provided by the MDM system. The setup process can also be completed automatically using configuration parameters. Learn more…

Watch our product demo to learn how to deploy the Threema Work app to your users and to get an overview of the management cockpit.

The Threema Work app must be activated using credentials before it is ready for use. Depending on whether the app is deployed manually or via MDM system, the process of defining credentials differs slightly.

Manual deployment (unmanaged devices): individual credentials / single-user licenses

When deploying the Threema Work app manually to unmanaged devices, individual credentials (single-user licenses) are appropriate, which means that each user gets separate credentials to activate the app. If you used the same credentials for different users (multi-user license), it would not be possible to withdraw a user’s access to the app, and you cannot preconfigure the app using the app configuration in the management cockpit.

Deployment via MDM system (managed devices): global credentials / multi-user license

When deploying the Threema Work app using an MDM system, the credentials are distributed along with the app. The preconfiguration of the app is carried out directly in the MDM system, where you can, for example, activate contact synchronization, link a phone number, or set the user’s first and last name (learn more). When deploying the app using an MDM system, you don’t need to define different credentials for each user. Simply use the same username/password pair as multi-user license for all users. If staff changes occur, an individual user’s access to the app can be withdrawn via the MDM system.

Threema Work can be deployed to the intended users in a few simple steps. Then, it must be activated using credentials, and it’s ready for use.

  1. Finding and defining credentials
    • Trial: Credentials have been created for you automatically. Find them in the Threema Work management cockpit.
    • New subscription: To set the credentials in the Threema Work management cockpit, navigate to “Credentials > Activate credentials”.
  2. Download the app
    Instruct users to download the free Threema Work app from an app store. You can also place the APK version of the app at your Android users’ disposal.
  3. Enter credentials (activate the app)
    In order to activate the app, your users need to enter the credentials you have specified above. Alternatively, the app can be unlocked using an activation link. Learn more about activation links…

Using the app configuration in the management cockpit, you can even preconfigure the app for your users. This way, you can make sure that the first and the last name is set, the correct phone number or email address is linked, and more. Details…

The “First Steps” PDF will guide you through the manual distribution and activation of the app.

Threema Work supports Android Enterprise (Android 5.0 or higher) and Managed App Configuration (iOS 8.0 or higher). These standards are used by all popular MDM systems (cf. Supported MDMSystems).

A wide range of configuration settings allow you to preconfigure the app tailored to your company’srequirements.

Rollout and configuration using a regular MDM system

Use multi-user licenses for an easy setup of automatic rollout. Use the list of configuration settings to define specific config policies.

App configuration with the management cockpit (without an MDM system)

Configure the app easily in the Threema Work management cockpit also when lacking an additional MDM system. Details

App Configuration with the management cockpit in addition to a regular MDM system

The app configuration can be used in addition to a regular MDM system, e.g. to push last-minute changes.

Configuration settings defined in the management cockpit overwrite the settings defined by the MDM system. This applies also to individual configuration settings. For example, if only one setting is defined in the management cockpit, only this setting will be overwritten, while the rest of the configuration defined in the MDM system remains unchanged.

You can preconfigure the Threema Work app for your users and set it up as desired so that the app is ready for use when first launched. The preconfiguration can be carried out either using a regular MDM system or using the app configuration in your management cockpit. The app configuration is typically used for unmanaged devices, where individual credentials come into play (this way, users can be identified and managed individually).

For users with individual credentials, “individual” settings can be defined in the app configuration. Individual settings are settings that are typically different among different users, e.g., name, nickname, phone number, etc.

Get an overview of the configuration settings available in the management cockpit in our product demo.

Threema Work is compatible with any MDM system that supports Android Enterprise (Android) and Managed App Configuration (iOS). Many developers of such MDM systems are part of the AppConfig Community. Threema Work is compatible with MobileIron, Sophos Mobile, Citrix XenMobile, SAP Afaria, VMware AirWatch, and others.

The following step-by-step instructions for deploying Threema Work are available:

Other MDM systems: Please make sure that your MDM system supports Android Enterprise (Android) and Managed App Configuration (iOS).

When configuring the Threema Work app with MS Intune, certain token types from Intune are available. According to Microsoft, the following token types can currently be used to configure the Threema Work app:

  • {{userprincipalname}}, e.g., john@contoso.com
  • {{mail}}, e.g., john@contoso.com
  • {{partialupn}}, e.g., John
  • {{accountid}}, e.g., fc0dc142-71d8-4b12-bbea-bae2a8514c81
  • {{userid}}, e.g., 3ec2c00f-b125-4519-acf0-302ac3761822
  • {{username}}, e.g., John Doe
  • {{PrimarySMTPAddress}}, e.g., testuser@ad.domain.com

Other custom key/value pairs are not supported.

With Android Enterprise, it is generally possible to distribute the app in a container. iOS does not have a standardized type of container supported by the operating system.

However, Threema Work is not available as a wrapped container solution (e.g., for MobileIron AppConnect or Citrix MDX Toolkit). Wrapping would require substantial adjustments to the Threema Work app that would lead to considerable limitations and incompatibilities. Since our requirements in regard to ease of use and reliability could not be met, wrapping is not supported.

If your company uses MobileIron AppConnect, please refer to this article.

Threema Work supports Android Enterprise (formerly known as Android for Work). For technical reasons, MobileIron AppConnect and Android Enterprise can’t be used at the same time.

However, the app configuration in the management cockpit can be used to manage the Threema Work app separately in case you use MobileIron AppConnect.

Configuration & User Management

Using Threema Work’s management cockpit, you can easily manage your subscriptions and users.

Management-Cockpit

As Professional user, the management cockpit allows you to:

  • Create quotations, and access orders and invoices
  • Increase the number of users, and renew subscriptions
  • Upgrade existing subscriptions, and purchase new ones
  • Manage the users’ contact list
  • Access Threema Broadcast
  • Preconfigure the app
  • Manage users and credentials
  • Revoke IDs, and detach IDs from a subscription
  • Set an in-app logo
  • View statistics of your subscription
  • Request support

In addition, Professional customers can manage users and subscriptions via API.

The management cockpit overview shows how many users are active (1), how many credentials are defined (17), and for how many users you have licensed Threema Work in total (350). In this example, the app can be activated on another 333 devices.

Management-Cockpit

Add new users

First, make sure that the required number of credentials is available. Then, switch to the “Credentials” menu, and click on “Add/import credentials”.

  • To add multiple users at once, click again on “Add/imprt credentials.” In the window that appears, you can enter the credentials or upload a CSV file.
  • Multiple devices can be activated using the same credentials: Instructions

If all credentials are activated (i.e., the number of active users and the total number of credentials are the same), click on the “Increase number of users” button in order to purchase additional licenses for the remaining duration of the subscription.

Transfer license to a new user

See Managing staff or device changes.

Licensing more users

If you need more users than are currently licensed (350 in the example above), simply click on “Increase number of users”.

Purchase additional licenses for external or temporary employees joining your team. You can integrate them in an existing subscription or keep them in a separate subscription.

Once the project is finished, you can withdraw their access to the Threema Work app and/or revoke their Threema IDs.

With the following settings, users of a subscription can only communicate with other users of the same subscription or with contacts that were added manually in the management cockpit. The communication with external contacts is inhibited.

Tab Configuration Setting Activated Value
Contacts th_block_unknown

On

true

Contacts th_contact_sync

On

false

Contacts th_disable_add_contact

On

true

Profile th_readonly_profile

On

true

Hint: If you use Threema Broadcast, you can use this communication principle also for your Broadcast ID ( “Availablility: Internal only”).

The following features are particularly useful when handling staff changes:

Withdraw access to the app
In the management cockpit, navigate to Credentials. Find the appropriate credentials, and click on the trash-can icon to delete the credentials.

Please note that it may take up to 24 hours until the former employee loses access to the app.

Revoke Threema ID
Revocation will permanently delete a Threema ID and all associated information from the servers. This will make it impossible for a user to send or receive any message using this ID, or to restore the ID from a backup. It is the most secure method to permanently exclude someone from your organization's internal communication.

Please note:

  • An ID revocation cannot be undone.
  • As a Threema Work administrator, you can revoke a user’s Threema ID even if they have set an ID Revocation Password.
  • It might take up to one hour for a revocation to take effect. After a Threema ID has been revoked, it will be displayed striked-through in contact lists of other users within 24 hours. If the option “hide inactive contacts” is enabled, the ID disappears entirely.

To revoke an ID, navigate to Users in the management cockpit. Find the appropriate Threema ID, and click on “Revoke ID” to revoke the Threema ID. Within about an hour, the affected user will be unable to send and receive messages.

Detach a Threema ID
By detaching a Threema ID from a subscription, the ID is removed from the subscription’s list of active users. Thus, it can no longer be revoked by subscription administrators, and it will no longer be labeled as internal contact.

However, the holder of the ID can continue to use it (either in the consumer app or using credentials of another Threema Work subscription). If the ID is used again in conjunction with credentials of this subscription, it will reappear in the list of active users.

Threema Work users’ contact lists can be managed as follows:

Label internal contacts
The colored dots next to a contact indicate the verification level. Internal contacts (i.e., contacts that are part of the same Threema Work subscription) can be labeled with the blue verification level. In the management cockpit, navigate to “App Contacts > Settings” to (de)activate “Mark internal contacts”.

Make contacts available
In the management cockpit, you can specify contacts that will be added to the contact lists of all users of the subscription. To manually add contacts, navigate to “App Contacts”, and click on “Add manually”. To automatically make all users of the subscription available to each other, open “App Contacts > Settings” and set “Activate new users automatically” to “On”.

If a contact is deactivated after it was already made available, it will remain in the contact lists of the current users, but it won’t be labeled with two blue dots anymore. However, disabled contacts will not be added to contact lists of new users.

Corporate directory

For large organizations comprising of several hundred or even thousands of members, making all contacts available (s. above) inevitably leads to an overwhelmingly long contact list. Here’s where the “corporate directory” comes into play. It allows users to quickly look up other members of the same organization right in the app. Add to that the ability to query all members of a given department using categories (and the wildcard search).

Setting up the “company directory” is simple and straightforward; please refer to the dedicated step-by-step guide for details.

Good to know: If the company directory is active but should not be available in the app to certain users, set the “th_disable_work_directory” configuration setting in the app configuration to “On” and “true” for these users. This way, they won’t be able to access the company directory.

Restrict communication to internal contacts (Closed user group)

Using the following configuration settings, users of a subscription can only communicate with other users of the same subscription or with contacts that were added manually in the management cockpit (see “Make contacts available” above). The communication with external contacts is disabled.

Tab Configuration setting Activated Value
Contacts th_block_unknown

On

true

Contacts th_contact_sync

On

false

Contacts th_disable_add_contact

On

true

Profile th_readonly_profile

On

true

The “subscription group” feature allows you to share the company directory across several subscriptions and thus search contacts in all of the subscriptions that belong to the same group. To use the feature, at least two subscriptions of the Professional and/or Education price plan have to be grouped, and the company directory needs to be activated.

If you want to allow your users to search contacts across several subscriptions , please proceed as follows:

  1. Log into your Threema Work admin account.
  2. Activate the company directory in the subscriptions you want to group: navigate to “App contacts > Settings” and activate the switch next to “Activate company directory.”
  3. In the “Subscriptions” overview, tap on the “Create new subscription group” button.
  4. Define a name for your subscription group.
  5. Drag and drop the required subscriptions into the subscription group.

If the company directory should not be available in the app for certain users, adjust the corresponding configuration setting in the app configuration in the management cockpit as described here under “Company directory.”

Good to know: contacts that have been found and added to the local address book via the company directory are labeled with two blue dots as an internal contact.

Get an overview of the configuration settings available in the management cockpit in our product demo.

Example: Allowing the creation of group chats only for individual users

If you aren’t using an external MDM system or would like to preconfigure the app for users who bring their own devices (BYOD), we recommend using the app configuration in the management cockpit.

Adjustment for all users (Global)

  1. Open the “App configuration” section in the Threema Work management cockpit, which expands the subsection “Global”.
  2. In addition to the name of each configuration setting, the table contains a short description of the impact a configuration setting change has in the app.
  3. In our example, navigate to the category “Communication,” activate th_disable_create_group, and change the configuration setting to true.

Adjustments for individual users (Individual)

  1. Open the “Individual” subsection, and click on a username to select one or more users who may use the app differently than what the global settings define.
  2. Clicking on “Continue” (the number of selected users is shown in brackets) allows you to adjust the app further in the respective category.
  3. Activate the configuration setting in the category “Communication,” and leave it false.

You have now successfully configured the app in a way that allows only predefined users to create a group chat.

Efficient input of individual values

If your subscription contains more than a dozen users, having to manually edit each value can be cumbersome, and it might be a good idea to import the values using a CSV file. In the management cockpit, navigate to “App configuration,” select “Import/export”, and proceed as follows:

  1. Export the configuration settings as a CSV file
  2. Edit the configuration settings in the CSV file
  3. Import the edited CSV file

The individual settings are now defined.

To automate the process, you can use the Threema Work API.

Good to know

  • Individual configuration settings for individual users are treated with a higher priority than global configuration settings for all users, i.e., individual configuraton settings override global configuration settings.
  • All configuration settings concerning app customization are documented both in the management cockpit and in the Threema Work website’s help section.
  • A few configuration settings (those with an information icon next to the configuration setting name) are only set when users license the app. For users who have completed the setup process, a change to these settings will only become effective if they reinstall the app or generate a new ID.

The tilde character (~) in front of a contact name indicates that the name displayed is a nickname (e.g. “~Bob”). A user can choose any nickname, and it might not correspond to the actual name of said user (e.g. “Robert Smith”).

In the following cases, the tilde is not displayed:

  • You define the first and last name of users using your administrator privileges (via configuration settings or in the contact list that you provide through the management cockpit).
  • Contact synchronization is enabled, and the ID matches an email address and/or telephone number of a contact stored in the local address book. In this case, the contact list will show the name stored in the local address book instead of the nickname.
  • The user entered the name manually in the contact details in the app. In this case, the contact’s name is displayed, not the nickname.

Contact list in the app

It can take up to 24 hours until new users are visible or contact changes become effective in the app’s contact list. However, the synchronization can be forced manually in the app by pulling down the contact list.

Contact list in the management cockpit

The management cockpit and Threema’s directory server sync once per hour. Therefore, it can take up to one hour until new users are visible in the management cockpit’s “Contacts”.

Threema Safe allows to automatically create backups of your users’ most important Threema data and settings on a regular basis. By means of configuration settings in the category "Backups", you can determine whether your users can (A), cannot (B), or must (C) use Threema Safe. By default, Threema Safe can be used.

(A) Threema Safe can be used

Generally, you don’t need to adjust any configuration settings if you want to allow your users to choose whether to use Threema Safe or not. Please note, however:

  • If you have set th_disable_backups is to true, you need to set this configuration setting to false in order to allow your users to use Threema Safe.

  • If you have already set th_safe_enable to true or false, you need to delete this configuration setting in order to allow your users to use Threema Safe. If th_safe_enable is set, it is either mandatory ( true) or impossible ( false) to use Threema Safe.

Use th_safe_server_url to specify the server on which Threema Safe backups are stored. If th_safe_server_url isn’t set, your users can store Threema Safe backups on the Threema server or on any other server. Learn how to set up your server for Threema Safe…

(B) Threema Safe cannot be used

Set th_safe_enable to false to prevent your users from using Threema Safe. If you have already set th_disable_backups to true, it’s not necessary to set the th_safe_enable parameter. If th_disable_backups is set to true, no backups can be created.

(C) Threema Safe must be used

First, make sure that th_disable_backups and th_skip_wizard are not set to true. Then, set th_safe_enable to true. This configuration enforces the use of Threema Safe.

If you want to store your users’ Threema Safe backups on your own server, specify the URL to the Threema Safe directory on your server in th_safe_server_url. If this configuration setting isn’t set, your users’ Threema Safe backups will be stored on the Threema server. If your server requires authentication, please specify username and password in th_safe_server_username and th_safe_server_password, respectively.

Automatically restore Threema ID: This requires an external MDM system and is not available in the app configuration in your management cockpit. If you set th_safe_password and th_safe_restore_id, the backup will be restored without user interaction. Users don’t need to enter a password when re-installing the app or switching to a new device and can continue to use Threema Work immediately.

As a subscription’s administrator, you can add additional administrators and define the scope of their access privileges.

In the management cockpit, navigate to “Access privileges”. First, click on “Add user” to add a user. Then, set the user’s access privileges by ticking the appropriate checkboxes.

Additionally protect access to your management cockpit with two-factor authentication using Threema or another service of your choice.

  1. Log in at https://work.threema.ch/en/login.
  2. In the menu, select “Profile”, and click on “Login and security”.
  3. Follow the instructions.
  4. Store the backup codes you obtain after completing the setup. Using these codes, you are able to sign in if you should ever lose your mobile device.

Firewall settings can prevent the Threema Work app from establishing a connection to the Threema server, or they might block access to the management cockpit. To resolve this issue, please open the appropriate TCP ports.

Threema Work app: TCP ports 443 and 5222 need to be open for outgoing connections. Messages are transmitted through port 5222; port 443 serves as fallback in case of delays. For directory queries (synchronization of contacts, etc.) and media transmissions, HTTPS port 443 is used.

Threema calls: UDP port 3478 needs to be open for outgoing connections.

Threema group calls: UDP ports 22500–22532 need to be open for outgoing connections.

Management cockpit: TCP port 443 needs to be open for outgoing HTTPS connections.

If you experience connectivity issues with the desktop app or the web client, please refer to this FAQ article.

Threema Work offers several backup options that differ in various respects:

ID export Data backup System backup Threema Safe
Configuration Setting th_disable_id_export th_disable_data_backups th_disable_system_backups Documentation
OS Android, iOS Android iOS Android, iOS
Threema ID
Chats, including media files
Contacts, group memberships, and app settings
Can be managed by admins With external MDM system With external MDM system
Can be created by users
Storage location File or email File iTunes or iCloud Threema / Custom server
Storage duration Custom Custom Custom 180 days / Custom

By default, all backup options are available. Use configuration settings to restrict some or completely disable all backup options:

Don’t allow any kind of backup

To prevent your users from creating any kind of backup, use th_disable_backups. (This configuration setting overrides all configuration settings listed below.)

Prevent ID exports

To prevent your users from exporting their Threema ID, set the parameter th_disable_id_export totrue.

Prevent data backups (Android)

In Threema Work for Android, users can create data backups. To prevent this, set the configuration setting th_disable_data_backups, to true.

Prevent inclusion in OS backups (iOS)

iTunes backups can include Threema data. Set th_disable_data_backups to true to exclude Threema data from OS backups. Due to a restriction on iOS’ part, it’s not possible to distinguish between iTunes and iCloud backups.

Threema Safe

Set the configuration setting th_safe_enable to false to prevent users from creating Threema Safe backups. To learn more about the configuration of Threema Safe using configuration settings, please refer to this Help article.

You can use configuration settings to define which backup options are (not) available to your users. By default, all backup options are available.

Do not allow any backups at all

To prevent your users from creating any kind of backup, use th_disable_backups . (This configuration settings overrides all settings listed below.)

Prevent ID export

To prevent your users from exporting their Threema ID, set the configuration setting th_disable_id_export to true.

Prevent data backups (Android)

In Threema Work for Android, users can create data backups. To prevent this, set the configuration setting th_disable_data_backups to true.

Prevent inclusion in OS backups (iOS)

iCloud/iTunes backups can include Threema data. Set th_disable_system_backups to true to exclude Threema data from OS backups.

Threema Safe

Set the configuration setting th_safe_enable to false to prevent users from creating Threema Safe backups. To learn more about the configuration of Threema Safe using configuration settings, please refer to this Help article.

User management in management cockpit

The following browsers are supported (on any operating system): Mozilla Firefox, Google Chrome, Chromium, Opera, and Safari. No other browsers are supported.

App use on mobile device (smartphone or tablet)

Minimum requirement OS Minimum requirement Threema Work app
iOS 10 and iPhone 5s or above 3.01k
Android 4.44.3k

Other operating systems are not supported.

Interplay of Threema Work with Threema

Threema Work is tailored to the use in organizations and offers numerous benefits over the consumer version of Threema, especially in terms of administration, user management, app distribution, and preconfiguration. Threema Work allows to:

  • Acquire and distribute platform-independent licenses
  • Manage users
  • Preconfigure the app for your users
  • Define policies for the app’s use
  • Detach or revoke IDs when staff changes occur
  • Prevent access to future chats when employees leave the company
  • Manage the users’ contact list
  • And much more

The Threema and the Threema Work app are compatible and are generally identical as far as features are concerned. Both Threema and Threema Work are compliant with the EU General Data Protection Regulation (GDPR).

Threema OnPrem is the self-hosted version of the SaaS solution Threema Work. When using the on-premises version, all data is stored on a company server, which translates to complete data ownership as well as the highest level of security and total control over every aspect of the communication tool.

Users of the standard Threema app and Threema Work users can communicate without any limitations, as if they were using the same app. However, as administrator, you can restrict the communication to contacts contained in the contact list.

Threema OnPrem users can only communicate with other users of the same OnPrem instance (i.e., the same organization).

You can use Threema, Threema Work, and Threema OnPrem on the same device.

Please note, however, that a phone number or email address can only be linked to one Threema ID at a time (i.e., either to the Threema ID used in Threema Work or to the Threema ID used in the standard Threema app). Also, it’s not possible to use a Threema ID in both the Threema and the Threema Work app at the same time.

One of the advantages of Threema Work is the possibility to strictly separate personal and professional communication. We recommend that existing Threema users create a new ID for Threema Work, just like activating a new business phone number. Good to know: Both apps can be used simultaneously and the consumer app remains active.

Using personal Threema IDs in Threema Work

Transfering the personal Threema ID to Threema Work is not possible.

Using Threema Work IDs in the consumer app

If a user wants to use their existing Threema Work ID in Threema after leaving the company, the administrator must first detach the ID from the subscription. Only then can the user move their ID from Threema Work to the private Threema using Threema Safe or an ID export.

Important

  • The same ID cannot be used in two apps simultaneously.
  • Chat contents will not be transferred when switching from one app to the other.

Broadcast

Threema Broadcast

Threema Broadcast allows you to make use of the full potential of one-to-many communication. Various channels are available, including newsfeeds, distribution lists, interactive chat bots, and centrally managed groups. Threema Broadcast is an integral part of Threema Work.

Open Threema Broadcast help

Threema Broadcast is a web interface that allows for convenient top-down communications via Threema. Use Threema Broadcast to communicate with employees, customers, and third parties.

Besides classic distribution lists and central groups, where you add and manage the recipients yourself, Threema Broadcast also offers feeds and bots. Feeds are dynamic newsletters; users can subscribe and unsubscribe at any time. Bots allow to conveniently retrieve information via Threema.

Learn more...

OnPrem

Threema OnPrem is designed for companies looking for a self-hosted messaging service that provides total data ownership and the highest possible level of security and confidentiality (e.g., public authorities, industrial companies, police forces).

Threema OnPrem is typically recommended for a volume of 500 or more end-user licenses. To run and maintain a Threema OnPrem server, your company must be ready to invest in infrastructure, and technical know-how is, of course, an essential prerequisite. The needs of companies that don’t meet these requirements are covered by the SaaS solution Threema Work.

No. Although Threema OnPrem includes certain customization options (like integrating a logo into the app’s UI), white labeling as such is not supported.

Like Threema Work, Threema OnPrem comes with the annual price for the total amount of end-user licenses; add to that the one-time setup fee plus a yearly flat fee to cover server license, software updates, and technical support. To get a quote, please contact us.

Threema OnPrem is the self-hosted version of the SaaS solution Threema Work. When using Threema OnPrem, all data is stored on your company’s server, which translates to complete data ownership and total and exclusive control over every aspect of the communication tool. The app, the administration console, and the feature set of Threema OnPrem and Threema Work are, in essence, identical.

Threema OnPrem Threema Work
App
iOS, Android, web app

iOS, Android, web app
Dashboard
Broadcast
Gateway (Message API)
Possibility to communicate with users of the Threema and the Threema Work app
Server location Custom Switzerland
Recommended number of users >500 >15
Minimum contract duration 2 years 1 year
Price On request
End-user licenses, server license, setup fee, etc.
See Threema Work pricing

Threema OnPrem requires a Linux server (physical or virtual) with Docker. For smaller deployments of up to 1,000 users, 4 CPU cores, 8 GB RAM, and about 100 GB disk space are sufficient. Larger deployments of up to 100,000 users require 8 more CPU cores, 32 GB of additional RAM, and about 1 TB of disk space. These numbers are highly dependent on the usage intensity.

Threema OnPrem is an independent and completely self-contained chat environment. Users of Threema OnPrem can only communicate with other users of the same OnPrem instance. Using the Threema OnPrem app, it is therefore not possible to communicate with users of the Threema or the Threema Work app.

However, Threema, Threema Work, and Threema OnPrem can be used in parallel on the same device (but different Threema IDs have to be used).

Education

Threema Education is only available for public educational institutions, e.g., schools and universities.

Non-profit organizations and NGOs get a 30% discount on Threema Work. Learn more...

Once students leave school, the IT administration can withdraw their licenses and pass them on to new students.

The management cockpit allows you to generate and manage user licenses. In the Credentials section, you can generate, withdraw, and reallocate licenses.

Yes, Threema Education can be used without a SIM card and without a phone number. It is therefore perfectly suited for school tablets.

Yes, a minimum of 20 licenses must be ordered with the initial purchase of Threema Education.