Deploy Threema Work app configurations

Threema Work is a secure, GDPR-compliant instant messaging solution designed for corporate environments. It utilizes end-to-end encryption for group chats, voice calls, and video calls to ensure the safe exchange of sensitive business information.

Using Hexnode UEM, administrators can perform remote installation, deployment, and configuration of Threema Work on Android devices to maintain a secure communication infrastructure.

Security and Compliance Capabilities of Threema Work

Threema Work provides a robust security framework for enterprise messaging:

• End-to-End Encryption: Protection for all data types, including text, voice, and video.
• GDPR Compliance: Strictly adheres to EU General Data Protection Regulation requirements.
• Centralized Management: Hexnode UEM facilitates uniform app settings and security policy enforcement across the organization.

Deployment Overview

The process for deploying Threema Work via Hexnode UEM consists of several key technical phases:

• License Management: Adding an MDM-specific license via the Threema Work Admin Console.
• App Integration: Adding Threema Work to the Hexnode UEM app repository.
• Policy Creation: Defining deployment rules and app configurations.
• Policy Association: Targeting specific devices or users for rollout.
• App Setup and Initialization: Finalizing setup on the end-user device.

1. License Management

To deploy Threema Work on managed devices, administrators must first generate a dedicated MDM System License within the Threema infrastructure.

Step-by-Step License Configuration

1. Access Admin Console: Log in to the Threema Work Admin Console.
2. Navigate to User Management: Go to Enter Management Cockpit > User Management.
3. Initiate License Creation: Click Add (or Add First Users) and select License for MDM System.
4. Configure Credentials: Set a Username and Password. Choose a storage format based on your security requirements:
   • Plain text: Enables future password retrieval. To retrieve, navigate to User Management > License for MDM Systems, click the vertical ellipsis (:) icon for the specific license, and select Copy Password.
   • Hash: Increases security by preventing password recovery from the Threema Work Admin Console.
5. Define License Count: Specify the total number of licenses required for your device fleet.

Upon completion, the MDM system license is active and ready for use within Hexnode UEM.

2. App Integration

To manage Threema Work as an enterprise application, it must be added to the Hexnode UEM app repository as a Managed Google App.

Step-by-Step App Integration

1. Access UEM Console: Log in to the Hexnode UEM Console.
2. Navigate to Apps Repository: Click on the Apps tab in the top navigation bar.
3. Add Enterprise App: Click the + Add Apps button and select Managed Google Apps from the dropdown menu.
4. Search and Select: In the search dialog, type “Threema Work. For Companies“. Locate the official app and click Select.

Once confirmed, the Threema Work app will appear in your Managed Apps list, enabling deployment via Hexnode policies.

3. Policy Creation

Administrators use Hexnode UEM policies to streamline the deployment of Threema Work and enforce specific security configurations.

Step 1: Create a Deployment Policy

1. Navigate to the Policies tab.
2. Select Device Policies > New Policy > Create a fully custom policy (or edit an existing one).
3. Assign a Policy Name and Description.
4. Go to Android > App Management > Required Apps and click Configure.
5. Click +Add > Add App, search for “Threema Work. For Companies“, select it, and click Done.

Step 2: Set Up App Configurations

Under the App Configurations section, you can define how the Threema app behaves on the device.

1. Click Configure within the policy.
2. Click +Add New Configuration, select “Threema Work. For Companies“, and click Select.
3. Configure the parameters based on the technical requirements listed below:
   

   Setting	Description
   Corporate License Username	Defines the MDM system license username used to activate Threema Work on the device during provisioning.
   Corporate License Password	Specifies the corresponding license password required for device-level authentication with Threema Work.
   Nickname	Determines the display name shown to contacts and used in push notifications for user identification.
   First Name	Assigns the user’s first name to the Threema Work profile for directory and contact visibility.
   Last Name	Assigns the user’s last name to the Threema Work profile for identification and directory listings.
   Customer Specific Identifier (CSI)	Stores a unique internal identifier (such as an employee ID) to distinguish users in the management cockpit and company directory.
   Category	Groups users under a logical category such as department, team, or organizational unit.
   Email	Links an email address to the Threema ID to enable secure contact discovery and synchronization.
   Phone	Associates a phone number in international format with the Threema ID to support contact synchronization.
   Contact Sync	Controls whether the app is allowed to synchronize contacts with the device’s local address book.
   Readonly Profile	Locks profile attributes to prevent users from modifying identity details, exporting or deleting their ID, or setting a revocation password.
   Block Unknown Contacts	Blocks incoming messages from contacts not present in the device’s contact list.
   ID Backup String	Supplies pre-generated cryptographic key material used to restore an existing Threema ID on the device.
   ID Backup Password	Specifies the decryption password required to restore the provided ID Backup String.
   Disable Save to Gallery	Prevents unencrypted media files from being stored in the device’s photo or media gallery.
   Disable Screenshots	Blocks screenshots and suppresses app previews in the Android app switcher to prevent data exposure.
   Disable Add Contact	Prevents users from manually adding new contacts within the Threema Work app.
   Disable Backups	Disables both local and cloud-based backups of Threema Work application data.
   Disable Export	Prevents users from exporting chat histories from the application.
   Disable Message Previews	Hides message content in system notifications to reduce information leakage.
   Disable Send Profile Picture	Prevents the user’s profile picture from being shared with other Threema contacts.
   Disable Threema Calls	Blocks all incoming and outgoing Threema voice calls on the device.
   Skip Setup Wizard	Skips the initial onboarding wizard to accelerate first-time app launch on managed devices.
   Disable Group Creation	Prevents users from creating new group conversations within Threema Work.
   Enable Threema Safe Backups	Enforces the use of Threema Safe for securely backing up identity and configuration data during setup.
   URL for Threema Safe Server	Specifies a custom Threema Safe server endpoint; if not provided, the default server is used.
   Username for Threema Safe Server	Defines the username required to authenticate with the configured Threema Safe server.
   Password for Threema Safe Server	Defines the password required to authenticate with the configured Threema Safe server.
   Password for Threema Safe	Sets the encryption password used to protect Threema Safe backups.
   Enable Threema Safe Restore Option	Allows restoration of data from Threema Safe during the setup process when applicable.
   Threema ID to Restore from Threema Safe	Specifies the exact Threema ID that should be restored automatically during onboarding.
   Disable Threema Web	Disables access to the Threema Web interface to prevent browser-based message access.
   Disable Multi-Device	Prevents the Threema Work account from being linked to additional devices.
   Disable ID Exports/Backups	Blocks the creation of ID exports or backup files by end users.
   Disable Data Backups	Specifically prevents application data backups from being created or stored.
   Hide Inactive IDs	Conceals revoked or inactive Threema IDs from user visibility.
   Threema Web: Allowed Signaling Servers	Restricts Threema Web connectivity to a defined allowlist of signaling server hostnames.
   Disable Media Saving and Sharing	Prevents manual saving or sharing of unencrypted media content from the app.
   Password Format for Threema Safe (Regex)	Enforces a custom password policy for Threema Safe using a regular expression pattern.
   Error Message for Invalid Threema Safe Password	Displays a custom error message when the entered password does not meet the defined format.
   Disable Video Calls	Blocks all incoming and outgoing Threema video calls.
   Disable Work Directory	Hides access to the internal Work directory within the app interface.
   Disable Group Calls	Prevents participation in group voice or video calls.
   Keep Messages (Days)	Defines how long messages are retained before automatic deletion (0 retains messages indefinitely).
   Job Title	Assigns the user’s job title for organizational context and directory visibility.
   Department	Assigns the user’s department to support internal identification and grouping.

4. After customizing settings, click Done, then Add.
5. Click Save to finalize the policy.

4. Policy Association

Policy association is the final administrative step that pushes the Threema Work configurations to your managed fleet.

Associating an Unsaved Policy

If you are currently creating or editing a policy and have not yet clicked save:

1. Navigate to the Policy Targets tab within the policy editor.
2. Click +Add Devices to select individual hardware units.
3. Alternative Targeting: From the left pane of the Policy Targets tab, you may also choose to associate the policy with:
   • Device Groups
   • Users
   • User Groups
   • Domains/OUs
4. Select your target entities, click Ok, and then click Save.

Associating a Previously Saved Policy

If the policy is already active in your repository:

1. Go to the Policies tab.
2. Under Device Policies, locate and select the desired Threema Work policy.
3. Click the Manage drop-down menu and select Associate Targets.
4. Choose the target entities (Devices, Users, or Groups) and click Associate.

5. Device Activation App Setup and Initialization

After the policy is associated via Hexnode UEM, the deployment concludes with an automated installation and a user-led activation process on the Android device.

1. Automatic Installation: The “Threema Work. For Companies” installs automatically on the device.
2. Initial Activation: Open the app and tap the Set Up Now button.
3. Threema ID Generation: The user must move their fingers across the screen to generate a unique Threema ID. This identifier is exclusive to the individual user and ensures end-to-end encryption integrity.
4. Policy Application: Key user details, including nickname, phone number, and email address, will be pre-filled automatically. All other security and functional settings defined in the Hexnode policy are applied at this stage.
5. Completion: Tap Finish to finalize the configuration.

Once these steps are completed, the Threema Work app is fully deployed, configured, and ready for secure corporate communication.

Frequently Asked Questions (FAQs)

1: How are user-specific details like nicknames and email addresses mapped into policy configuration?

Hexnode UEM supports the use of wildcards (e.g., %username%, %email%, %phonenumber%) within the App Configuration fields. When the policy is applied, these wildcards are automatically replaced with the corresponding data from the user’s details in the Hexnode portal.

2: What happens if the license count in the Threema Work Admin Console is exceeded?

If the number of active devices exceeds the defined License Count in the Threema Work Admin Console, new app activations will fail. Administrators must ensure the license limit is updated to match the size of the managed device fleet.

3: Is a separate MDM license required for Android and iOS devices?

No. A single MDM System License generated in the Threema Work Admin Console can be used to manage the entire fleet, regardless of whether the devices are Android or iOS. The same Username and Password credentials are applied in their respective Hexnode policies.