Documentation

Introduction

Instant messaging in corporate environments

Instant messaging is an immediate and effortless means for information exchange, and it has become an integral part of today’s business communication. Instant messaging simplifies communication, improves collaboration, expedites workflows, and increases productivity. It is the most popular communication tool.

Risks of conventional chat solutions

Many of the apps that are used for business purposes don’t meet legal data-privacy requirements. Often used under the radar as “shadow IT”, messengers like WhatsApp pose several risks:

  • Unrestricted access to user data (such as contacts, metadata, locations, etc.) must be granted
  • Third parties can gain access to this data
  • The encryption used in them is not verifiable
  • There is no means for administration and user management
  • Legal requirements are not met
  • There is no strict separation between personal and professional communication

The legal requirements for chat services will increase once the new EU General Data Protection Regulation (GDPR) becomes effective in May 2018. Time to take appropriate measures!

A safe choice: Threema Work

Threema Work offers all features expected from a professional business messenger. No other messenger offers a comparable level of security, metadata restraint, and confidentiality. Overview of key advantages:

Threema is trusted by millions. It is a cost-efficient and simple way to make the communication of your employees, partners, and customers secure, privacy-compliant, and professionally manageable.

Features

Supported platforms

Threema Work is available for Android, iOS, and Windows Phone and can also be used on tablets.

With Threema Web, Threema can be used on the desktop (currently only available for Android).

App features

Threema Work provides all the features one would expect from a state-of-the-art instant messenger for organizations.

  • Send text and voice messages
  • End-to-end encrypted calls
  • Send files: PDFs, Office documents, .zip files, etc.
  • Share your pictures, videos, and locations
  • Create groups (of up to 100 members) and distribution lists
  • Polls and surveys, e.g. to schedule meetings
  • Verify contacts' identities by scanning their QR code to prevent man-in-the-middle attacks

The Threema Work app is based on Threema’s consumer app and offers similar features. You can find out more about features and answers to general questions about the app here.

Threema Work on your desktop

With Threema Web, you can conveniently chat from your desktop without compromising security. You have full access to all chats, contacts, and media files.

At this time, Threema Web is available for the Android version of the Threema Work app. Support for other platforms is in preparation.

Voice calls

Just like messages, calls with Threema Work are end-to-end encrypted and thus tap-proof.

Neither a SIM card nor a phone number is required. This allows you to make voice calls on tablets and iPads.

Threema calls are available starting with Threema Work 3.0.1k (iOS) and 3.21k (Android).

Voice calls can be completely disabled.

Please find additional information here.

Use on tablets or devices without a SIM card

A phone number is not required to use Threema Work. Threema Work can be used on devices without (or with multiple) SIM cards. You can even make Threema calls without a SIM card.

Integration in third-party applications using Threema Gateway

With Threema Gateway, Threema can be integrated into existing software applications. This allows companies and organizations to send, receive, and process Threema messages using their own software. Threema Gateway can be used for various purposes – the possibilities are virtually endless. Here are some real-world examples:

  • IncaMail, Swiss Post’s secure email service, uses Threema Gateway to forward encrypted emails. For example, payslips can be received not only as secure email but also as Threema message.
  • With a plugin, Threema can be used for two-factor authentication in the forum software xenForo.
  • Mercedes-Benz uses Threema Gateway for their messenger newsletter.
  • Whappodo, which now also supports Threema, is a solution for customer care and broadcasting via instant messenger.
  • AMBER Alert Germany notifies the people via Threema about cases of missing children.

Besides the above-mentioned xenForo plugin, there are many other Open Source projects that use Threema Gateway, e.g., Grafana and Mattermost.

To learn more, please visit the Threema Gateway website.

Security & Privacy

Security and privacy by design

Threema is trusted by millions and known for its unparalleled security and privacy protection. No other messenger offers a similar level of security, metadata restraint, and confidentiality. The award-winning app and its concept have been audited and verified several times.

  • Top-grade end-to-end encryption of the entire communication.
  • Strong encryption on users’ devices: Chats and messages are stored with strong encryption on the device.
  • Decentralized handling: No central storage of personal data.

Details about the encryption, key-pair management, physical data security, data protection laws, and other security advantages of our decentralized architecture are summarized in the Security and Privacy Reference Sheet.

The Cryptography Whitepaper contains comprehensive information about the technical architecture of our product.

Data-processing agreement

We don’t require a data processing agreement, but can provide one upon request.

For administrative reasons, we can only consider individual contract adjustments and supplementary agreements for subscriptions starting with 100 licenses. Please note that we will have to invoice any additional costs for an individual legal assessment.

Archiving chats

If your company requires that chats be stored externally for auditing or reporting purposes, you can asks users to export chats.

Due to the end-to-end encryption applied, it is not possible to create transcripts with the Threema Work management cockpit or the API.

Purchase & Order

Price plans

There are two price plans available: Business and Enterprise. A comprehensive comparison of the two price plans can be found here.

Changing your price plan

Subscriptions can be upgraded at any time in the management cockpit.

During the subscription period, a subscription cannot be downgraded. If you wish to downgrade the subscription starting with the next period, please contact our support before the current subscription period has expired. For technical reasons, it’s not possible to downgrade a subscription in the management cockpit.

Threema Work trial

You can try out Threema Work free of charge for two months with 15 users. Set up a trial subscription without obligation.

Subscription term

The subscription term is twelve months and will be automatically extended for another year unless duly terminated. Please refer to the Terms of Service for details.

Taxes applied to a purchase

Customers in Switzerland: The statutory VAT of 8% is applied to all invoices.

EU customers: Under the regulation of the EU we do not charge VAT on services provided. According to the reverse-charge regulation tax liability transfers to the recipient of services.

Other countries: Depending on local legislation, you might have to declare your purchase to your tax authority and pay VAT. Please contact your tax adviser for binding information.

Payment options

We offer the following payment options for your purchase:

Invoice
You will immediately receive a PDF invoice by email, due within 30 days. Invoices can be paid comfortably by wire transfer. After your wire transfer has been processed by our bank, your licenses are immediately activated.

PayPal / Credit Card
You will be redirected to PayPal, where you can issue a credit card payment also without a PayPal account. Your licenses are immediately activated after the payment. Refunds are credited to the credit card used for the payment.

Bitcoin
Pay anonymously with bitcoins. Licenses are activated after the receipt of your bitcoins.

No additional costs

Your price plan includes technical support and future software updates on all platforms; besides the subscription fee, no other fees apply.

Online prices
The prices indicated on the Threema Work website are online prices for direct orders on our web site; Terms of Service apply. Individual service agreements (e.g., Code of Conduct or individual contracts) can be considered for orders of more than 100 licenses. We reserve the right to charge for additional expenses due to individual legal assessments. Please contact us if an individual service agreement is required.

Offer for NGOs and educational institutions

Threema supports nonprofit organizations, schools, and other educational institutions in their endeavor to bolster the protection of privacy. Eligible organizations* benefit from preferred terms:

Contact us for further information.

* Threema reserves the right to review an organization’s eligibility at any time, and withdraw the discount if the eligibility criteria are no longer met.

Terms of service

The terms of service for Threema Work can be found here.

Threema Work for personal use

Threema Work is tailored to the needs of organizations and intended for corporate use. For personal use, we recommend the standard Threema version.

Rollout & Deployment

Overview of deployment options

You can deploy the Threema Work app manually or by using an MDM or EMM system:

1. Manual deployment without MDM
Manual deployment is straightforward. After the users have downloaded the free Threema Work app from the appropriate app store, they enter the credentials you have provided, and the app is ready for use. Learn more

Activation using URL actions
The Threema Work app can also be activated using a URL action. This relieves users from the burden of manually entering their credentials.

Threema MDM
Thanks to Threema MDM, mostsettings can be preconfigured even if the Threema Work app is not deployed using an MDM system.

2. Deployment using an MDM system
If you deploy the Threema Work app via MDM system, the credentials for the app’s activation are provided by the MDM system. The setup process can also be completed automatically using configuration parameters.

Depending on whether the app is deployed manually or using an MDM system, it’s recommended to use individual or global credentials. Learn more

Global vs. individual credentials

The Threema Work app must be activated using credentials before it is ready for use. Depending on whether the app is deployed manually or via an MDM system, individual or global credentials are appropriate.

When setting up a subscription, you can choose between global or individual credentials.

Manual deployment and management via Threema MDM: individual credentials
When deploying the Threema Work app manually (i.e., without using an MDM system), it’s recommended to use individual credentials, which means that each user gets separate credentials. When staff changes occur, you can simply withdraw a user’s access to the app by deleting the respective credentials in the management cockpit. If global credentials were used, access to the app could only be withdrawn for all users at once.

Use Threema MDM to preconfigure the app for all users without an own MDM system.

Deployment via MDM system: global credentials
When deploying the Threema Work app using an MDM system, the activation credentials are distributed along with the app. The users don’t get in touch with credentials, which is why it’s recommended to use global credentials for simplicity’s sake. If staff changes occur, an individual user’s access to the app can be withdrawn via the MDM system.

Mixed credentials
A subscription can also contain both global and individual credentials at the same time. This allows to manage selected devices using an MDM system, while the app is manually distributed to the other devices. To set up a subscription that contains mixed credentials, please get in touch with our support.

To view and manage a subscription’s credentials, log in to the corresponding management cockpit, and navigate to “Credentials”.

Manual deployment and app activation without MDM system

Threema Work can be deployed to the intended users in a few simple steps.

Please note that the information you use to log in to your account on the Threema Work website cannot be used to activate the app. Please follow the directions below to start using the app or to distribute it to users:

  1. Download the app
    Invite your users to download the free Threema Work app from the appropriate app store.
  2. Distribute the activation credentials
    Define the credentials for your users in the management cockpit (“Credentials” > “Activate credentials”). Send the individual activation credentials to your users.
  3. Set up the app
    After a user has entered the individual credentials, the app is activated. The user will then be guided through the setup process.

To relieve users from the burden of manually entering their credentials, you can send them activation links.

Thanks to Threema MDM, some settings can be preconfigured even if the Threema Work app is not deployed using an MDM system. This allows to remotely set up the app (and restrict certain settings) without using an MDM system. If you define all profile settings in Threema MDM, your users are relieved from completing the initial setup process.

It’s recommended to use individual credentials when manually deploying the Threema Work app.

Threema MDM: Remote configuration of the app without MDM system

If you don’t use an MDM system for the app’s deployment, Threema MDM is a convenient way of controlling the app’s settings in the management cockpit. With Threema MDM, the same parameters that are available when using a regular MDM system can be configured, please refer to the documentation of available parameters for more detailed information.

Rollout and deployment with MDM system

MDM systems (also referred to as “EMM systems”) allow to install and preconfigure applications on remotely managed mobile devices.

Threema Work supports Android Enterprise (Android 5.0 or higher) and Managed App Configuration (iOS 8.0 or higher). These standards are used by all popular MDM systems (cf. Supported MDM Systems).

Preconfiguration with MDM

Threema Work allows administrators of MDM systems to preconfigure the Threema Work to an extent that relieves end users almost entirely from setting up the app. Settings such as credentials, nickname, linked email address, and phone number can be parameterized. Contact synchronization, blocking of unknown contacts, and the backup password can be activated or deactivated by the administrator. The available configuration parameters are documented here.

If Threema MDM and a regular MDM system are used at the same time, parameters set in Threema MDM have priority.

Supported MDM systems

Threema Work is compatible with any MDM system that supports Android Enterprise (Android) and Managed App Configuration (iOS). Many developers of such MDM systems are part of the AppConfig Community. Threema Work is compatible with MobileIron, Sophos Mobile, Citrix XenMobile, SAP Afaria, VMware AirWatch, and others.

The following step-by-step instructions for deploying Threema Work are available:

Other MDM systems: Please make sure that your MDM system supports Android Enterprise (Android) and Managed App Configuration (iOS).

Containerization of the app

With Android Enterprise, it is generally possible to distribute the app in a container. iOS does not have a standardized type of container supported by the operating system.

However, Threema Work is not available as a wrapped container solution (e.g., for MobileIron AppConnect or Citrix MDX Toolkit). Wrapping would require substantial adjustments to the Threema Work app that would lead to considerable limitations and incompatibilities. Since our requirements in regard to ease of use and reliability could not be met, wrapping is not supported.

If your company uses MobileIron AppConnect, please refer to this article.

MobileIron AppConnect vs. Android Enterprise

Threema Work supports Android Enterprise (formerly known as Android for Work). For technical reasons, MobileIron AppConnect and Android Enterprise can’t be used at the same time.

However, Threema MDM can be used to manage the Threema Work app separately in case you use MobileIron AppConnect.

Configuration & User Management

Subscription and user management

Using Threema Work’s management cockpit, you can easily administer your subscriptions and users.

Threema Work Management Cockpit Screenshot

The management cockpit allows you to:

  • Increase the number of users and renew subscriptions
  • Upgrade existing subscriptions and purchase new ones
  • Manage the users' contact list
  • Control app settings in the management cockpit
  • Manage users and credentials
  • Revoke IDs and detach IDs from a subscription
  • Set an in-app logo
  • Show data evaluation of your subscription
  • Access Threema Gateway credits
  • Request support

In addition, Enterprise customers can manage users and subscriptions via API.

Adjusting the number of users

You can increase the number of users at any time in the management cockpit. The price per license is adjusted according to the amount of time that’s left in the current term.

If you would like to decrease the number of users for the next term of a subscription, please contact our support before the current term has expired. For technical reasons, it’s not possible to decrease the number of users in the management cockpit.

Including external or temporary employees

Purchase additional licenses for external or temporary employees joining your team. You can integrate them in an existing subscription or keep them in a separate subscription.

Once the project is finished, you can withdraw their access to the Threema Work app and/or revoke their Threema IDs.

Withdrawing access to the app or revoking an ID

The following features are particularly useful when handling staff changes:

Withdraw access to the app
In the management cockpit, navigate to Credentials. Find the appropriate credentials, and click on the trash-can icon to delete the credentials.

Please note that it may take up to 24 hours until the former employee loses access to the app.

Detach a Threema ID
By detaching a Threema ID from a subscription, the ID is removed from the subscription’s list of active users. Thus, it can no longer be revoked by subscription administrators, and it will no longer be labeled as internal contact.

However, the holder of the ID can continue to use it (either in the consumer app or using credentials of another Threema Work subscription). If the ID is used again in conjunction with credentials of this subscription, it will reappear in the list of active users.

Revoke Threema ID
Revocation will permanently delete a Threema ID and all associated information from the servers. This will make it impossible for a user to send or receive any message using this ID, or to restore the ID from a backup. It is the most secure method to exclude a former employee from your organization's internal communication.

Please note:

  • An ID revocation cannot be undone and is only available to administrators of Enterprise subscriptions.
  • As a Threema Work administrator, you can revoke a user’s Threema ID even if they have set an ID Revocation Password.
  • It might take up to one hour for a revocation to take effect. After a Threema ID has been revoked, it will be displayed striked-through in contact lists of other users within 24 hours. If the option “hide inactive contacts” is enabled, the ID disappears entirely.

To revoke an ID, navigate to Users in the management cockpit. Find the appropriate Threema ID, and click on “Revoke ID” to revoke the Threema ID. Within about an hour, the affected user will be unable to send and receive messages.

Managing the contact list

With Enterprise subscriptions, Threema Work users’ contact lists can be managed as follows:

Label internal contacts
The colored dots next to a contact indicate the verification level. Internal contacts (i.e., contacts that are part of the same Threema Work subscription) can be labeled with two blue dots. In the management cockpit, navigate to “App customizing > Contacts > Mark internal contacts” to (de)activate this setting.

Make contacts available
In the management cockpit, you can specify contacts that will be added to the contact lists of all users of the subscription. To manually add contacts, navigate to “App customizing > Contacts”, and click on “Add”. To automatically make all users of the subscription available to each other, set “Enable new users automatically” to “On”.

If a contact is deactivated after it was already made available, it will remain in the contact lists of the current users, but it won’t be labeled with two blue dots anymore. However, disabled contacts will not be added to contact lists of new users.

Restrict communication to internal contacts (Closed user group)
Inhibit the communication with external contacts with the following parameters:

th_block_unknown,
th_contact_sync, and
th_disable_add_contact.

This means that users of a subscription can only communicate with other users of the same subscription or with contacts that were added manually in the management cockpit (see above).

Managing access privileges

As a subscription’s administrator, you can add additional administrators and define the scope of their access privileges.

In the management cockpit, navigate to “Access privileges”. First, click on “Add user” to add a user. Then, set the user’s access privileges by ticking the appropriate checkboxes.

Miscellaneous

Firewall settings

Firewall settings can prevent the Threema Work app from establishing a connection to the Threema server, or they might block access to the management cockpit. To resolve this issue, please open the appropriate TCP ports.

Threema Work app: TCP ports 443 and 5222 need to be open for outgoing connections. Messages are transmitted through port 5222; port 443 serves as fallback in case of delays. For directory queries (synchronization of contacts, etc.) and media transmissions, HTTPS port 443 is used.

Management cockpit: TCP port 443 needs to be open for outgoing HTTPS connections.

Click here for connectivity issues with Threema Web.

Threema Work vs. Threema

You can use both Threema Work and the standard Threema app on the same device. Please note that a phone number or email address can only be linked to one Threema ID at a time, meaning either to your ID in Threema or in Threema Work.

Threema Work users and users of the regular Threema app can communicate without any limitations, as if they were using the same app. However, you can configure Threema Work to restrict the communication with contacts contained in the contact list, in which case third parties can't initiate conversations.

Users switching from Threema to Threema Work

If users would like to continue using their existing Threema IDs in Threema Work, they can create an ID backup in Threema and restore it in Threema Work.

Please note that it isn't possible to use the same ID on two devices or concurrently in Threema and Threema Work.