Instant messaging is an immediate and effortless means for information exchange, and it has become an integral part of today’s business communication. Instant messaging simplifies communication, improves collaboration, expedites workflows, and increases productivity. It is the most popular communication tool.

Risks of conventional chat solutions

Many of the apps that are used for business purposes don’t meet legal data-privacy requirements. Often used under the radar as “shadow IT”, messengers like WhatsApp pose several risks:

• Unrestricted access to user data (such as contacts, metadata, locations, etc.) must be granted
• Third parties can gain access to this data
• The encryption used in them is not verifiable
• There is no means for administration and user management
• Legal requirements are not met
• There is no strict separation between personal and professional communication

The legal requirements for chat services will increase once the new EU General Data Protection Regulation (GDPR) becomes effective in May 2018. Time to take appropriate measures!

Threema Work offers all features expected from a professional business messenger. No other messenger offers a comparable level of security, metadata restraint, and confidentiality. Overview of key advantages:

• Clear distinction between personal and professional communication
• Top-grade security and data protection
• Compliance with Swiss and European data protection laws
• State-of-the-art app with numerous features
• User-friendly management cockpit for administration and user management
• Easy integration into MDM systems

Threema is trusted by millions. It is a cost-efficient and simple way to make the communication of your employees, partners, and customers secure, privacy-compliant, and professionally manageable.

Threema Work is tailored to the use in organizations and offers numerous benefits over the consumer version of Threema, especially in terms of administration, user management, app distribution, and preconfiguration. Threema Work allows to:

• Acquire and distribute platform-independent licenses
• Manage users
• Preconfigure the app for your users
• Define policies for the app’s use
• Detach or revoke IDs when staff changes occur
• Prevent access to future chats when employees leave the company
• Manage the users’ contact list
• And much more

The Threema and the Threema Work app are compatible and are generally identical as far as features are concerned. Both Threema and Threema Work are compliant with the new EU General Data Protection Regulation (GDPR).

Before the Threema Work app can be used, it must be activated using credentials:

1. Log in at https://work.threema.ch/en/login, select a subscription, and set the credentials for your users in the “Credentials” section.
2. On your mobile phone, download the free app “Threema Work” from the appropriate app store.
3. Launch the Threema Work app, and enter the credentials you have defined in the first step above.

Threema Work is available for Android, iOS, and Windows Phone and can also be used on tablets.

With Threema Web (which is available for both Android and iOS), Threema can also be used on the desktop.

Threema Work provides all the features you expect from a state-of-the-art instant messenger for organizations

Basic app features

• Send text and voice messages
• Make voice calls
• Send files of any type (PDFs, Office documents, etc.)
• Share photos, videos and locations
• Use Threema on the desktop

Special features

• Create polls
• Silently agree or disagree to received messages
• Hide confidential chats and password-protect them with a PIN or your fingerprint (Android)
• Choose between a dark and a light theme
• Verify your contacts via QR code
• Add text formatting to messages
• Create distribution lists
• Quote text messages

The Threema Work app is based on Threema’s consumer app and offers similar features. You can find out more about features and answers to general questions about the app in the Threema FAQs.

With Threema Web, you can conveniently chat from your desktop without compromising security. You have full access to all chats, contacts, and media files.

Threema Web is available for both the Android and the iOS version of the Threema Work app.

Please note that a mobile device (on which the Threema Work app is present and activated using credentials) is required; it’s not possible to use Threema Web without a mobile device.

Just like messages, calls with Threema Work are end-to-end encrypted and thus tap-proof.

Neither a SIM card nor a phone number is required. This allows you to make voice calls on tablets and iPads.

Threema calls are available starting with Threema Work 3.0.1k (iOS) and 3.21k (Android).

Voice calls can be completely disabled.

Please find additional information here.

A phone number is not required to use Threema Work. Threema Work can be used on devices without (or with multiple) SIM cards. You can even make Threema calls without a SIM card.

Threema Broadcast is the tool for versatile, secure, and straightforward top-down communications.

• Use feeds and distribution lists to send messages to any number of recipients, and turn Threema into a powerful newsletter channel. While users can subscribe to and unsubscribe from feeds, you manage the recipients of distribution lists yourself.
• With bots, you can create interactive information-retrieval systems that allow your users to quickly get the answers they are looking for.
• Manage central group chats together with any number of co-administrators, and participate in the group discussion right from your PC.

Threema Broadcast is included in Threema Work Enterprise. The number of Broadcast recipients corresponds to the number of Enterprise licenses. For Example: If you have 80 Threema Work Enterprise licenses, there are 80 Threema Broadcast recipients available.

To learn more, please visit the Threema Broadcast website.

With Threema Gateway, Threema can be integrated into existing software applications. This allows companies and organizations to send, receive, and process Threema messages using their own software. Threema Gateway can be used for various purposes – the possibilities are virtually endless. Here are some real-world examples:

• IncaMail, Swiss Post’s secure email service, uses Threema Gateway to forward encrypted emails. For example, payslips can be received not only as secure email but also as Threema message.
• With a plugin, Threema can be used for two-factor authentication in the forum software xenForo.
• Mercedes-Benz uses Threema Gateway for their messenger newsletter.
• Whappodo, which now also supports Threema, is a solution for customer care and broadcasting via instant messenger.
• AMBER Alert Germany notifies the people via Threema about cases of missing children.

Besides the above-mentioned xenForo plugin, there are many other Open Source projects that use Threema Gateway, e.g., Grafana and Mattermost.

To learn more, please visit the Threema Gateway website.

Threema is trusted by millions and known for its unparalleled security and privacy protection. No other messenger offers a similar level of security, metadata restraint, and confidentiality.

• Top-grade end-to-end encryption of the entire communication.
• Strong encryption on users’ devices: Chats and messages are stored with strong encryption on the device.
• Decentralized handling: No central storage of personal data.

Details about the encryption, key-pair management, physical data security, data protection laws, and other security advantages of our decentralized architecture are summarized in the Security and Privacy Reference Sheet.

The Cryptography Whitepaper contains comprehensive information about the technical architecture of Threema.

Furthermore, well-established experts audit Threema periodically. Headed by Prof. Sebastian Schinzel, the Lab for IT Security of the Münster University of Applied Sciences has conducted the latest audit in March 2019. With considerable effort and all the required technical expertise, the Android and the iOS app as well as Threema Safe were examined in great detail for possible security flaws. However, no critical vulnerabilities were found, and the researches gave Threema top grades. Read the full audit report.

Threema Work is fully compliant with the European General Data Protection Regulation (GDPR). As a Swiss company, Threema is also subject to Switzerland’s strict Federal Act on Data Protection (DSG) and the accompanying Ordinance to the Federal Act on Data Protection (VDSG).

Transmitting data from the EU to Switzerland is permitted by law without any additional evaluation. Based on Article 25 (6) of the European Data Protection Directive, Swiss law guarantees a level of data protection equivalent to European legislation.

Threema Work can be used without providing personally identifiable information (such as a phone number or email address) and without granting access to the address book.

We don’t require a data-processing agreement, but we provide a standard agreement. Individual agreements are not possible.

If your company requires that chats be stored externally for auditing or reporting purposes, you can asks users to export chats.

Due to the end-to-end encryption applied, it is not possible to create transcripts with the Threema Work management cockpit or the API.

There are two price plans available for Threema Work, which differ in their features and services. A detailed comparison of these price plans is available here.

You can switch from a Business to an Enterprise subscription at any time by clicking “Upgrade to Enterprise” in the management cockpit.

If you wish to switch from Threema Work Enterprise to Business, please contact our support before the current subscription period expires.

You can try out Threema Work free of charge for two months with 15 users. Set up a trial subscription without obligation.

If you would like to convert your free trial into a regular subscription in order to keep the trial’s credentials and settings, please proceed as follows:

1. Log in to your Threema Work admin account
2. In the subscription overview, select the trial you wish to convert
3. In the trial’s management cockpit, navigate to “Overview”, and click “Buy now!”
4. Specify the desired number of users, select your preferred currency, and click “Next”
5. Follow the on-screen instructions to complete the order process

Important

If you choose to pay the invoice via bank transfer, it’s recommended to issue the payment as soon as possible in order to avoid a service interruption. Our financial institution must receive the billing amount before the trial has expired. (Licenses are available upon receipt of the payment, see Payment options.)

The subscription term is twelve months and will be automatically extended for another year unless duly terminated. Please refer to the Terms of Service for details.

Customers in Switzerland: The statutory VAT of 7.7% is applied to all invoices.

EU customers: Under the regulation of the EU we do not charge VAT on services provided. According to the reverse-charge regulation tax liability transfers to the recipient of services.

Other countries: Depending on local legislation, you might have to declare your purchase to your tax authority and pay VAT. Please contact your tax adviser for binding information.

Apart from the license costs, the use of Threema Work does not involve any other fees. All price plans include guaranteed availability, technical support, and software updates for all platforms.

Online prices

The prices indicated on the Threema Work website are online prices. The Terms of Service apply.

Individual agreements such as changes to our standard data-processing agreement, individual contracts as well as technical or legal questionnaires or documents are examined solely against payment of the administrative and legal expenses. Please contact us if an individual service agreement is required.

Threema supports nonprofit organizations, schools, and other educational institutions in their endeavor to increase privacy protection. Eligible organizations* benefit from preferential terms.

• Threema Education: Special offer for public educational institutions. Learn more…
• Nonprofit organizations: 30% discount on Threema Work. Contact us…

*) Threema reserves the right to review an organization’s eligibility at any time; if the eligibility criteria are not met, the discount will be withdrawn.

Licensing

Each app instance requires an individual license. If Threema Work is used on multiple devices at the same time, a separate license is required for each device (cf. Terms of Service).

To use Threema Work on your desktop, a mobile device on which Threema Work is installed is required; however, no additional license is necessary.

Handling

• A Threema ID cannot be used on multiple devices (or in Threema and Threema Work) at the same time.
• Per app, only one ID can be used at a time.
• An email address or phone number can only be linked to one Threema ID at a time. Linking the same email address or phone number to different Threema IDs is not possible.

Threema Work is tailored to the needs of organizations and intended for corporate use. For personal use, we recommend the standard Threema version.

You can deploy the Threema Work app manually or by using an MDM or EMM system:

1. Manual deployment: unmanaged devices (without MDM)
   Manual deployment is straightforward. After the users have downloaded the free Threema Work app from the appropriate app store, they enter the credentials you have provided, and the app is ready for use. Learn more…
2. Deployment via MDM system
   If you deploy the Threema Work app via MDM system, the credentials for the app’s activation are provided by the MDM system. The setup process can also be completed automatically using configuration parameters. Learn more…

The Threema Work app must be activated using credentials before it is ready for use. Depending on whether the app is deployed manually or via MDM system, the process of defining credentials differs slightly.

Manual deployment (unmanaged devices): individual credentials / single-user licenses

When deploying the Threema Work app manually to unmanaged devices, individual credentials (single-user licenses) are appropriate, which means that each user gets separate credentials to activate the app. If you would use the same credentials for different users (multi-user license), you could not withdraw a user’s access to the app by deleting their credentials or preconfigure the app using Threema MDM.

Deployment via MDM system (managed devices): global credentials / multi-user license

When deploying the Threema Work app using an MDM system, the credentials are distributed along with the app. The preconfiguration of the app is carried out directly in the MDM system, where you can, for example, activate contact synchronization, link a phone number, or set the user’s first and last name (learn more). When deploying the app using an MDM system, you don’t need to define different credentials for each user. Simply use the same username/password pair as multi-user license for all users. If staff changes occur, an individual user’s access to the app can be withdrawn via the MDM system.

Threema Work can be deployed to the intended users in a few simple steps. Then, it must be activated using credentials, and it’s ready for use.

1. Finding and defining credentials
   
   • Trial: Credentials have been created for you automatically. Find them in the Threema Work management cockpit.
   • New subscription: To set the credentials in the Threema Work management cockpit, navigate to “Credentials > Activate credentials”.
2. Download the app
   Instruct users to download the free Threema Work app from an app store. You can also place the APK version of the app at your Android users’ disposal.
3. Enter credentials (activate the app)
   In order to activate the app, your users need to enter the credentials you have specified above. Alternatively, the app can be unlocked using an activation link. Learn more about activation links…

Using Threema MDM, you can even preconfigure the app for your users. This way, you can make sure that the first and the last name is set, the correct phone number or email address is linked, and more. Details…

The “First Steps” PDF will guide you through the manual distribution and activation of the app.

MDM systems allow to install and preconfigure applications on remotely managed mobile devices. This article explains which MDM systems are supported, how the app can be preconfigured, and how to use credentials when deploying the app via MDM systems.

Supported MDM systems

Threema Work supports Android Enterprise (Android 5.0 or higher) and Managed App Configuration (iOS 8.0 or higher). These standards are used by all popular MDM systems (cf. Supported MDM Systems).

Preconfiguration using MDM

Threema Work allows administrators of MDM systems to preconfigure the Threema Work to an extent that relieves end users almost entirely from setting up the app. Settings such as credentials, nickname, linked email address, and phone number can be parameterized. Contact synchronization, blocking of unknown contacts, and the backup password can be activated or deactivated by the administrator. The available configuration parameters are documented here.

If Threema MDM and a regular MDM system are used at the same time, parameters set in Threema MDM have priority.

How to use credentials as multi-user license

Before the app can be used, it needs to be activated using credentials that can be defined in the management cockpit’s “Credentials” section. When using an MDM system to deploy the app, the same credentials can be used for all users. To use the same credentials for all users, the credentials must be marked as multi-user license after they have been added:

1. Zugangsdaten hinzufügen: Navigieren Sie im Management-Cockpit zu «Zugangsdaten», wählen Sie «Zugangsdaten hinzufügen/importieren», legen Sie in der Einzeleingabe Zugangsdaten an, und speichern Sie sie.
2. Mehrfachlizenz aktivieren: Klicken Sie in der Zugangsdaten-Übersicht auf das Bleistift-Symbol neben den betreffenden Zugangsdaten, und folgen Sie den Bildschirmanweisungen.

Übertragen Sie die Mehrfachlizenz in Ihr MDM-System.

Bei ungemanagten Geräten, bei denen Threema Work nicht über MDM ausgerollt wird, sind pro Nutzer separate Zugangsdaten (Einzellizenzen) zu verwenden. Nur so lässt sich die Nutzung und Konfiguration der App ideal durchführen (vgl. Manuelle Verteilung und Aktivierung der App bei ungemangten Geräten (ohne MDM-System)).

You can preconfigure the Threema Work app for your users and set it up as desired so that the app is ready for use when first launched. The preconfiguration can be carried out either using a regular MDM system or using Threema MDM. Threema MDM is typically used for unmanaged devices, where individual credentials come into play (this way, users can be identified and managed individually).

For users with individual credentials, “individual values” can be set in Threema MDM. Individual values are values that are typically different among different users, e.g., name, nickname, phone number, etc.

To learn how to set up Threema MDM, please refer to this configuration guide.

Threema Work is compatible with any MDM system that supports Android Enterprise (Android) and Managed App Configuration (iOS). Many developers of such MDM systems are part of the AppConfig Community. Threema Work is compatible with MobileIron, Sophos Mobile, Citrix XenMobile, SAP Afaria, VMware AirWatch, and others.

The following step-by-step instructions for deploying Threema Work are available:

• Deployment using Sophos Mobile
• Deployment using Citrix XenMobile

Other MDM systems: Please make sure that your MDM system supports Android Enterprise (Android) and Managed App Configuration (iOS).

With Android Enterprise, it is generally possible to distribute the app in a container. iOS does not have a standardized type of container supported by the operating system.

However, Threema Work is not available as a wrapped container solution (e.g., for MobileIron AppConnect or Citrix MDX Toolkit). Wrapping would require substantial adjustments to the Threema Work app that would lead to considerable limitations and incompatibilities. Since our requirements in regard to ease of use and reliability could not be met, wrapping is not supported.

If your company uses MobileIron AppConnect, please refer to this article.

Threema Work supports Android Enterprise (formerly known as Android for Work). For technical reasons, MobileIron AppConnect and Android Enterprise can’t be used at the same time.

However, Threema MDM can be used to manage the Threema Work app separately in case you use MobileIron AppConnect.

The Threema Work app must be activated using credentials. If you send your users activation links, they don’t have to enter their credentials manually. Like credentials, activation links can be found in the management cockpit’s “Credentials” section. By opening an activation link, the app gets unlocked.

Please note:

• The Threema Work app must be installed on the device in order for the activation link to work.
• On Android, the Threema Work app must have been opened at least once in order for the activation link to work.

The activation link is structured like this:

https://work.threema.ch/license?username=somecompany&password=xxxxxxxxx

Using Threema Work’s management cockpit, you can easily administer your subscriptions and users.

The management cockpit allows you to:

• Increase the number of users and renew subscriptions
• Upgrade existing subscriptions and purchase new ones
• Manage the users' contact list
• Control app settings in the management cockpit
• Manage users and credentials
• Revoke IDs and detach IDs from a subscription
• Set an in-app logo
• Show data evaluation of your subscription
• Access Threema Gateway credits
• Request support

In addition, Enterprise customers can manage users and subscriptions via API.

You can increase the number of users at any time in the management cockpit. The price per license is adjusted according to the amount of time that’s left in the current term.

If you would like to decrease the number of users for the next term of a subscription, please contact our support before the current term has expired. For technical reasons, it’s not possible to decrease the number of users in the management cockpit.

Purchase additional licenses for external or temporary employees joining your team. You can integrate them in an existing subscription or keep them in a separate subscription.

Once the project is finished, you can withdraw their access to the Threema Work app and/or revoke their Threema IDs.

The following features are particularly useful when handling staff changes:

Withdraw access to the app
In the management cockpit, navigate to Credentials. Find the appropriate credentials, and click on the trash-can icon to delete the credentials.

Please note that it may take up to 24 hours until the former employee loses access to the app.

Detach a Threema ID
By detaching a Threema ID from a subscription, the ID is removed from the subscription’s list of active users. Thus, it can no longer be revoked by subscription administrators, and it will no longer be labeled as internal contact.

However, the holder of the ID can continue to use it (either in the consumer app or using credentials of another Threema Work subscription). If the ID is used again in conjunction with credentials of this subscription, it will reappear in the list of active users.

Revoke Threema ID
Revocation will permanently delete a Threema ID and all associated information from the servers. This will make it impossible for a user to send or receive any message using this ID, or to restore the ID from a backup. It is the most secure method to permanently exclude someone from your organization's internal communication.

Please note:

• An ID revocation cannot be undone and is only available to administrators of Enterprise subscriptions.
• As a Threema Work administrator, you can revoke a user’s Threema ID even if they have set an ID Revocation Password.
• It might take up to one hour for a revocation to take effect. After a Threema ID has been revoked, it will be displayed striked-through in contact lists of other users within 24 hours. If the option “hide inactive contacts” is enabled, the ID disappears entirely.

To revoke an ID, navigate to Users in the management cockpit. Find the appropriate Threema ID, and click on “Revoke ID” to revoke the Threema ID. Within about an hour, the affected user will be unable to send and receive messages.

To integrate Threema Work into your central directory service (such as MS Exchange, AD, or LDAP), please use our APIs:

• Threema Work API
• Broadcast API

Different ways of integrating Threema Work into your central directory service are illustrated below.

In-app contact list

The Threema Work app can optionally synchronize its contact list with the address book of the mobile device. If the address book is linked to your central directory service (e.g., MS Exchange, AD, or LDAP), the contacts are mapped automatically to the appropriate Threema IDs, and contacts who use Threema appear in the app’s contact list. Learn here how to label internal contacts.

If you disable contact synchronization on the mobile devices, you can still add contacts via the management cockpit. The Threema Work API allows to automate the process of adding contacts to the management cockpit.

User management

Using the Threema Work API, you can automate administration and user management. Any management task that can be completed using the management cockpit can be completed using the API, for example:

• Define, edit, and remove credentials
• Manage the contact list
• Revoke or detach Threema IDs
• Preconfigure the app (set a nickname, link a phone number, etc.)

Broadcast: Groups, feeds, and distribution lists

Threema Broadcast is the perfect tool for efficient top-down communication. Using the Broadcast API, you can dispatch messages and manage feeds, distribution lists, and groups. Integrating Threema Broadcast into your directory service (e.g., MS Exchange, AD, or LDAP) is quite easy.

With Enterprise subscriptions, Threema Work users’ contact lists can be managed as follows:

Label internal contacts
The colored dots next to a contact indicate the verification level. Internal contacts (i.e., contacts that are part of the same Threema Work subscription) can be labeled with the blue verification level. In the management cockpit, navigate to “App customizing > Contacts > Mark internal contacts” to (de)activate the blue verification level.

Make contacts available
In the management cockpit, you can specify contacts that will be added to the contact lists of all users of the subscription. To manually add contacts, navigate to “App customizing > Contacts”, and click on “Add”. To automatically make all users of the subscription available to each other, set “Enable new users automatically” to “On”.

If a contact is deactivated after it was already made available, it will remain in the contact lists of the current users, but it won’t be labeled with two blue dots anymore. However, disabled contacts will not be added to contact lists of new users.

Restrict communication to internal contacts (Closed user group)

Using the following settings, users of a subscription can only communicate with other users of the same subscription or with contacts that were added manually in the management cockpit (see “Make contacts available” above). The communication with external contacts is inhibited.

Parameter name	Activated	Value
th_block_unknown
th_contact_sync
th_disable_add_contact
th_readonly_profile

If you aren’t using an external MDM system or would like to preconfigure the app for users who bring their own devices (BYOD), we recommend using Threema MDM.

This walkthrough is based on a fictitious example in which the administrator wants to allow the creation of group chats only for individual users, whereas the majority of users is not allowed to create group chats.

Adjustment for all users (global values)

1. Open the menu “Threema MDM” in the Threema Work management cockpit, which expands the submenu “Global values”.
2. In addition to the name of a parameter, the table contains a short description of the impact a parameter change has in the app.
3. In our example, activate th_disable_create_group, and set the parameter to true.

Adjustments for individual users (individual values)

1. Open the “Individual values” submenu, and click on a username to select one or more users who may use the app differently than what the global settings define.
2. Clicking on “Continue” (the amount of selected users is shown in brackets) allows you to adjust the app further.
3. Activate the parameter, and leave the setting “false”.

You have now successfully configured the app in a way that allows only predefined users to create a group chat.

Efficient input of individual values

If your subscription contains more than a dozen users, having to manually edit each value can be cumbersome, and it might be a good idea to import the values using a CSV file. In the management cockpit, navigate to “Threema MDM”, select “Import / Export”, and proceed as follows:

1. Export the MDM values as CSV file
2. Edit the MDM values in the CSV file
3. Import the edited CSV file

The individual values are now set.

To automate the process, you can use the Threema Work API.

Good to know

• Individual settings for individual users are treated with a higher priority than global settings for all users, i.e., individual settings overwrite global settings.
• All app customization parameters are documented both in the management cockpit and in Threema Work website’s help section.
• A few parameters (those that are not “renewable”, see parameter documentation) are only set when users license the app. For users who have completed the setup process, a change to these values will only become effective if they reinstall the app or generate a new ID.

The tilde character (~) in front of a contact name indicates that the name displayed is a nickname (e.g. “~Bob”). A user can choose any nickname, and it might not correspond to the actual name of said user (e.g. “Robert Smith”).

In the following cases, the tilde is not displayed:

• You define the first and last name of users using your administrator privileges (via MDM parameters or in the contact list that you provide through the management cockpit).
• Contact synchronization is enabled, and the ID matches an email address and/or telephone number of a contact stored in the local address book. In this case, the contact list will show the name stored in the local address book instead of the nickname.
• The user entered the name manually in the contact details in the app. In this case, the contact’s name is displayed, not the nickname.

Contact list in the app

It can take up to 24 hours until new users are visible or contact changes become effective in the app’s contact list. However, the synchronization can be forced manually in the app by pulling down the contact list.

Contact list in the management cockpit

The management cockpit and Threema’s directory server sync once per hour. Therefore, it can take up to one hour until new users are visible in the management cockpit’s “Contacts”.

Threema Safe can regularly create a backup of your users’ most important data and settings. Using MDM parameters, you can define whether your users are allowed to use Threema Safe (default setting) or whether they must or cannot use it.

Activate Threema Safe

First, make sure the th_disable_backups parameter is not set to true.

• Force the use of Threema Safe: To require the use of Threema Safe, set th_safe_enable to true. The users will be prompted to set up Threema Safe.

• Optional use of Threema Safe: If the parameter th_safe_enable isn’t set, the use of Threema Safe is optional. Your users are free to use Threema Safe, but they don’t have to. If th_safe_enable has already been set to true or false, you have to delete the parameter to restore the default setting.

Deactivate Threema Safe

Set th_safe_enable to false to prevent your users form using Threema Safe.

Alternatively, you can set th_disable_backups to true, which will disable all backup options, including Threema Safe.

Define server

Using th_safe_server_url, you can define on which server the Threema Safe backups are stored. If th_safe_server_url is not set, your users’ backups will be stored on the Threema server.

In case your server requires authentication, specify username and password in th_safe_server_username and th_safe_server_password, respectively. For more details on how to save Threema Safe backups on your own server, refer to this FAQ article.

Set password

If you use your MDM system, you can set the passwords of your users Threema Safe backups using the the th_safe_password parameter. Your users don’t see this password, and they can’t change it.

For privacy and security reasons, it’s not possible to use this parameter when using Threema MDM.

Restoring Threema Safe backups

Use the parameter th_safe_restore_enable to determine whether Threema Safe backups can (not) or must be restored in the setup wizard:

• Threema Safe backup can be restored: th_safe_restore_enable = true and th_safe_restore_id not set
• Threema Safe backup must be restored: th_safe_restore_enable = true and th_safe_restore_id set
• Automatically restore Threema Safe backups in the setup wizard (without user interaction): th_safe_password set
• Manually restore Threema Safe backups in the setup wizard (user must enter correct password): th_safe_password not set
• Threema Safe backup cannot be restored: th_safe_restore_enable = false

In-app logo

Increase your employees’ identification with the app by placing your logo in the app’s header.

Contact-list management

Add contacts to your users’ contact lists. Internal contacts are labeled with two blue dots. Learn more…

Custom support form

Define how your users get first-level support by integrating your own support form into the app.

As a subscription’s administrator, you can add additional administrators and define the scope of their access privileges.

In the management cockpit, navigate to “Access privileges”. First, click on “Add user” to add a user. Then, set the user’s access privileges by ticking the appropriate checkboxes.

Additionally protect access to your management cockpit with two-factor authentication using Threema or another service of your choice.

1. Log in at https://work.threema.ch/en/login.
2. In the menu, select “Profile”, and click on “Login and security”.
3. Follow the instructions.

Recommendation: You will receive 10 backup codes after the setup is complete. Save or print them immediately to retain access to your profile in case you lose access to your authentication app or mobile device.

Firewall settings can prevent the Threema Work app from establishing a connection to the Threema server, or they might block access to the management cockpit. To resolve this issue, please open the appropriate TCP ports.

Threema Work app: TCP ports 443 and 5222 need to be open for outgoing connections. Messages are transmitted through port 5222; port 443 serves as fallback in case of delays. For directory queries (synchronization of contacts, etc.) and media transmissions, HTTPS port 443 is used.

Management cockpit: TCP port 443 needs to be open for outgoing HTTPS connections.

Click here for connectivity issues with Threema Web.

User management in management cockpit

The following browsers are supported (on any operating system): Mozilla Firefox, Google Chrome, Chromium, Opera, and Safari. No other browsers are supported.

App use on mobile device (smartphone or tablet)

Other operating systems are not supported.

Users of the standard Threema app and Threema Work users can communicate without any limitations, as if they were using the same app. However, as administrator, you can restrict the communication to contacts contained in the contact list.

You can use both Threema Work and the standard Threema app on the same device. Please note, however, that a phone number or email address can only be linked to one Threema ID at a time (i.e., either to the Threema ID used in Threema Work or to the Threema ID used in the standard Threema app). Also, it’s not possible to use a Threema ID in both the Threema and the Threema Work app at the same time.

One of the advantages of Threema Work is the possibility to strictly separate personal and professional communication. We recommend that existing Threema users create a new ID for Threema Work, just like activating a new business phone number. Good to know: Both apps can be used simultaneously and the consumer app remains active.

Using personal Threema-IDs in Threema Work

An existing Threema ID can be used with Threema Work by restoring it from Threema Safe or an ID backup. The consumer app must then be deleted (or used with a different ID) since an ID cannot be used in both apps at the same time.

Using Threema Work IDs in the consumer app

If a user wants to use their existing Threema Work ID in Threema after leaving the company, the administrator must first detach the ID from the subscription. Only then can the user move their ID from Threema Work to the private Threema using Threema Safe or an ID backup.

Important

• The same ID cannot be used in two apps simultaneously.
• Chat contents will not be transferred when switching from one app to the other.
• Currently, Threema Safe is only available on Android devices; support for iOS and Windows Phone will be added soon.