Setting up two-factor authentication

Additionally protect access to your management cockpit with two-factor authentication using Threema or another service of your choice.

  1. Log in at https://work.threema.ch/en/login.
  2. In the menu, select “Profile”, and click on “Login and security”.
  3. Follow the instructions.
  4. Store the backup codes you obtain after completing the setup. Using these codes, you are able to sign in if you should ever lose your mobile device.

Related articles

Using Threema Work’s management cockpit, you can easily manage your subscriptions and users.

Management-Cockpit

As Professional user, the management cockpit allows you to:

  • Create quotations, and access orders and invoices
  • Increase the number of users, and renew subscriptions
  • Upgrade existing subscriptions, and purchase new ones
  • Manage the users’ contact list
  • Access Threema Broadcast
  • Preconfigure the app
  • Manage users and credentials
  • Revoke IDs, and detach IDs from a subscription
  • Set an in-app logo
  • View statistics of your subscription
  • Request support

In addition, Professional customers can manage users and subscriptions via API.

The management cockpit overview shows how many users are active (393), how many credentials are defined (219), and how many users have licensed Threema Work in total (500). In this example, the app can be activated on another 107 devices.

Management-Cockpit

Add new users

First, make sure that the required number of credentials is available. Then, switch to the “Credentials” menu, and click on “Add/import credentials”.

  • To add multiple users at at once (e.g., from a .csv file), switch to the “Bulk insert / Import” tab.
  • Multiple devices can be activated using the same credentials: Instructions

If all credentials are activated (i.e., the number of active users and the total number of credentials are the same), click on the “Increase number of users” button in order to purchase additional licenses for the remaining duration of the subscription.

Transfer license to a new user

See Managing staff or device changes.

Licensing more users

If you need more users than are currently licensed (100 in the example above), simply click on “Increase number of users”.

Purchase additional licenses for external or temporary employees joining your team. You can integrate them in an existing subscription or keep them in a separate subscription.

Once the project is finished, you can withdraw their access to the Threema Work app and/or revoke their Threema IDs.

With the following settings, users of a subscription can only communicate with other users of thesame subscription or with contacts that were added manually in the management cockpit. The communication with external contacts is inhibited.

Parameter name Activated Value
th_block_unknown

On

true
th_contact_sync

On

false
th_disable_add_contact

On

true
th_readonly_profile

On

true

Note: If you use Threema Broadcast, please manually add your Broadcast ID as a contact (navigate to “Customization > Contacts > Add,” and enter your Broadcast ID). This way, your users are able to receive messages from your feeds and distribution list.

The following features are particularly useful when handling staff changes:

Withdraw access to the app
In the management cockpit, navigate to Credentials. Find the appropriate credentials, and click on the trash-can icon to delete the credentials.

Please note that it may take up to 24 hours until the former employee loses access to the app.

Revoke Threema ID
Revocation will permanently delete a Threema ID and all associated information from the servers. This will make it impossible for a user to send or receive any message using this ID, or to restore the ID from a backup. It is the most secure method to permanently exclude someone from your organization's internal communication.

Please note:

  • An ID revocation cannot be undone.
  • As a Threema Work administrator, you can revoke a user’s Threema ID even if they have set an ID Revocation Password.
  • It might take up to one hour for a revocation to take effect. After a Threema ID has been revoked, it will be displayed striked-through in contact lists of other users within 24 hours. If the option “hide inactive contacts” is enabled, the ID disappears entirely.

To revoke an ID, navigate to Users in the management cockpit. Find the appropriate Threema ID, and click on “Revoke ID” to revoke the Threema ID. Within about an hour, the affected user will be unable to send and receive messages.

Detach a Threema ID
By detaching a Threema ID from a subscription, the ID is removed from the subscription’s list of active users. Thus, it can no longer be revoked by subscription administrators, and it will no longer be labeled as internal contact.

However, the holder of the ID can continue to use it (either in the consumer app or using credentials of another Threema Work subscription). If the ID is used again in conjunction with credentials of this subscription, it will reappear in the list of active users.

Threema Work users’ contact lists can be managed as follows:

Label internal contacts
The colored dots next to a contact indicate the verification level. Internal contacts (i.e., contacts that are part of the same Threema Work subscription) can be labeled with the blue verification level. In the management cockpit, navigate to “App Contacts > Settings” to (de)activate “Mark internal contacts”.

Make contacts available
In the management cockpit, you can specify contacts that will be added to the contact lists of all users of the subscription. To manually add contacts, navigate to “App Contacts”, and click on “Add manually”. To automatically make all users of the subscription available to each other, open “App Contacts > Settings” and set “Activate new users automatically” to “On”.

If a contact is deactivated after it was already made available, it will remain in the contact lists of the current users, but it won’t be labeled with two blue dots anymore. However, disabled contacts will not be added to contact lists of new users.

Corporate directory

For large organizations comprising of several hundred or even thousands of members, making all contacts available (s. above) inevitably leads to an overwhelmingly long contact list. Here’s where the “corporate directory” comes into play. It allows users to quickly look up other members of the same organization right in the app. Add to that the ability to query all members of a given department using categories (and the wildcard search).

Setting up the “corporate directory” is simple and straightforward; please refer to the dedicated step-by-step guide for details.

Restrict communication to internal contacts (Closed user group)

Using the following Threema MDM settings, users of a subscription can only communicate with other users of the same subscription or with contacts that were added manually in the management cockpit (see “Make contacts available” above). The communication with external contacts is disabled.

Parameter name Activated Value
th_block_unknown

On

true
th_contact_sync

On

false
th_disable_add_contact

On

true
th_readonly_profile

On

true

Video tutorial

Threema MDM: A Walkthrough
Find out how to preconfigure the Threema Work app using Threema MDM.
All video tutorials

Example

If you aren’t using an external MDM system or would like to preconfigure the app for users who bring their own devices (BYOD), we recommend using Threema MDM.

This walkthrough is based on a fictitious example in which the administrator wants to allow the creation of group chats only for individual users, whereas the majority of users is not allowed to create group chats.

Adjustment for all users (global values)

  1. Open the menu “Threema MDM” in the Threema Work management cockpit, which expands the submenu“Global values”.
  2. In addition to the name of a parameter, the table contains a short description of the impact aparameter change has in the app.
  3. In our example, activate th_disable_create_group, and set the parameter to true.

Adjustments for individual users (individual values)

  1. Open the “Individual values” submenu, and click on a username to select one or more users who may use the app differently than what the global settings define.
  2. Clicking on “Continue” (the amount of selected users is shown in brackets) allows you to adjust the app further.
  3. Activate the parameter, and leave the setting false.

You have now successfully configured the app in a way that allows only predefined users to create a group chat.

Efficient input of individual values

If your subscription contains more than a dozen users, having to manually edit each value can be cumbersome, and it might be a good idea to import the values using a CSV file. In the management cockpit, navigate to “Threema MDM”, select “Import / Export”, and proceed as follows:

  1. Export the MDM values as CSV file
  2. Edit the MDM values in the CSV file
  3. Import the edited CSV file

The individual values are now set.

To automate the process, you can use the Threema Work API.

Good to know

  • Individual settings for individual users are treated with a higher priority than globalsettings for all users, i.e., individual settings overwrite global settings.
  • All app customization parameters are documented both in the management cockpit andin Threema Work website’s help section.
  • A few parameters (those that are not “renewable”, see parameterdocumentation) are only set when users license the app. For users who have completed the setup process, a change to these values will only become effective if they reinstall the app or generate a new ID.

The tilde character (~) in front of a contact name indicates that the name displayed is a nickname (e.g. “~Bob”). A user can choose any nickname, and it might not correspond to the actual name of said user (e.g. “Robert Smith”).

In the following cases, the tilde is not displayed:

  • You define the first and last name of users using your administrator privileges (via MDM parameters or in the contact list that you provide through the management cockpit).
  • Contact synchronization is enabled, and the ID matches an email address and/or telephone number of a contact stored in the local address book. In this case, the contact list will show the name stored in the local address book instead of the nickname.
  • The user entered the name manually in the contact details in the app. In this case, the contact’s name is displayed, not the nickname.

Contact list in the app

It can take up to 24 hours until new users are visible or contact changes become effective in the app’s contact list. However, the synchronization can be forced manually in the app by pulling down the contact list.

Contact list in the management cockpit

The management cockpit and Threema’s directory server sync once per hour. Therefore, it can take up to one hour until new users are visible in the management cockpit’s “Contacts”.

Threema Safe allows to automatically create backups of your users’ most important Threema data and settings on a regular basis. By means of MDM parameters, you can determine whether your users can (A), cannot (B), or must (C) use Threema Safe. By default, Threema Safe can be used.

(A) Threema Safe can be used

Generally, you don’t need to adjust any MDM parameters if you want to allow your users to choose whether to use Threema Safe or not. Please note, however:

  • If you have set th_disable_backups is to true, you need to set this parameter tofalse in order to allow your users to use Threema Safe.

  • If you have already set th_safe_enable to true or false, you need to delete this parameter in order to allow your users to use Threema Safe. If th_safe_enable is set, it is either mandatory (true) or impossible (false) to use Threema Safe.

Use th_safe_server_url to specify the server on which Threema Safe backups are stored. If th_safe_server_url isn’t set, your users can store Threema Safe backups on the Threema server or on any other server. Learn how to set up your server for Threema Safe…

(B) Threema Safe cannot be used

Set th_safe_enable to false to prevent your users from using Threema Safe. If you have already set th_disable_backups to true, it’s not necessary to set the th_safe_enable parameter. If th_disable_backups is set to true, no backups can be created.

(C) Threema Safe must be used

First, make sure that th_disable_backups and th_skip_wizard are not set to true. Then, set th_safe_enable to true. This configuration enforces the use of Threema Safe.

If you want to store your users’ Threema Safe backups on your own server, specify the URL to the Threema Safe directory on your server in th_safe_server_url. If this parameter isn’t set, your users’ Threema Safe backups will be stored on the Threema server. If your server requires authentication, please specify username and password in th_safe_server_username and th_safe_server_password, respectively.

Automatically restore Threema ID: This requires an external MDM system and is not available in Threema MDM. If you set th_safe_password and th_safe_restore_id, the backup will be restored without user interaction. Users don’t need to enter a password when re-installing the app or switching to a new device and can continue to use Threema Work immediately.

As a subscription’s administrator, you can add additional administrators and define the scope of their access privileges.

In the management cockpit, navigate to “Access privileges”. First, click on “Add user” to add a user. Then, set the user’s access privileges by ticking the appropriate checkboxes.

Firewall settings can prevent the Threema Work app from establishing a connection to the Threema server, or they might block access to the management cockpit. To resolve this issue, please open the appropriate TCP ports.

Threema Work app: TCP ports 443 and 5222 need to be open for outgoing connections. Messages are transmitted through port 5222; port 443 serves as fallback in case of delays. For directory queries (synchronization of contacts, etc.) and media transmissions, HTTPS port 443 is used.

Threema calls: UDP port 3478 needs to be open for outgoing connections.

Management cockpit: TCP port 443 needs to be open for outgoing HTTPS connections.

If you experience connectivity issues with the desktop app or the web client, please refer to this FAQ article.

Threema Work offers several backup options that differ in various respects:

ID export Data backup System backup Threema Safe
MDM parameter th_disable_id_export th_disable_data_backups th_disable_system_backups Documentation
OS Android, iOS Android iOS Android, iOS
Threema ID
Chats, including media files
Contacts, group memberships, and app settings
Can be managed by admins With external MDM system With external MDM system
Can be created by users
Storage location File or email File iTunes or iCloud Threema / Custom server
Storage duration Custom Custom Custom 180 days / Custom

By default, all backup options are available. Use MDM parameters to restrict some or completely disable all backup options:

Don’t allow any kind of backup

To prevent your users from creating any kind of backup, use th_disable_backups. (This parameter overrides all parameters listed below.)

Prevent ID exports

To prevent your users from exporting their Threema ID, set the parameter th_disable_id_export totrue.

Prevent data backups (Android)

In Threema Work for Android, users can create data backups. To prevent this, set the MDM parameter th_disable_data_backups, to true.

Prevent inclusion in OS backups (iOS)

iTunes backups can include Threema data. Set th_disable_data_backups to true to exclude Threema data from OS backups. Due to a restriction on iOS’ part, it’s not possible to distinguish between iTunes and iCloud backups.

Threema Safe

Set the MDM parameter th_safe_enable to false to prevent users from creating Threema Safe backups. To learn more about the configuration of Threema Safe using MDM parameters, please refer to this Help article.

You can use MDM parameters to define which backup options are (not) available to your users. By default, all backup options are available.

Do not allow any backups at all

To prevent your users from creating any kind of backup, use th_disable_backups. (This parameter overrides all parameters listed below.)

Prevent ID export

To prevent your users from exporting their Threema ID, set the MDM parameterth_disable_id_export to true.

Prevent data backups (Android)

In Threema Work for Android, users can create data backups. To prevent this, set the MDM parameter th_disable_data_backups to true.

Prevent inclusion in OS backups (iOS)

iCloud/iTunes backups can include Threema data. Set th_disable_system_backups totrue to exclude Threema data from OS backups.

Threema Safe

Set the MDM parameter th_safe_enable to false to prevent users from creating Threema Safe backups. To learn more about the configuration of Threema Safe using MDM parameters, please refer to this Help article.

User management in management cockpit

The following browsers are supported (on any operating system): Mozilla Firefox, Google Chrome, Chromium, Opera, and Safari. No other browsers are supported.

App use on mobile device (smartphone or tablet)

Minimum requirement OS Minimum requirement Threema Work app
iOS 10 and iPhone 5s or above 3.01k
Android 4.44.3k

Other operating systems are not supported.

Show all FAQs

Show all FAQs