SMS Manager

The SMS Manager is an add-on SMS component that enables short message service for this application. This application uses Twilio as the only SMS provider. Twilio is a cloud communications platform that works with this application to send and receive text messages.

This application uses the Twilio API to send messages for job notifications, job offers, and general messages via Outbound available as of application version 7.1.¹ Employees must opt in and verify their SMS contact to receive mobile text messages, job notifications, and job offers via SMS.

Users have the option to opt into SMS by selecting the SMS check box in their contacts when choosing a contact of type phone, mobile, or home. Moreover, once SMS is set the user must verify their contact information through Twilio. Once verified, the user’s SMS contact will show as verified in the user’s contact page.

The SMS Manager requires an SMS component license. Component specific permissions must be granted in System Authority Level > SMS > Device and Activity to access the SMS component.

Moreover, when outbounding via SMS, this application an HTTPS message request to Twilio, Twilio secures the message via TLS 1.2 and then sends the message to the recipient or recipients. As of June 26, 2019 TWILIO REST API supports TLS v1.2 and stronger cipher suites.

Twilio Security Guidelines
Please read the security guidelines from Twilio for information regarding Personal Health Information (PHI). "SMS messages were not designed to support secure communications, and therefore are not HIPPAA-compliant. Short codes should not be used to transmit Personal Health Information (PHI)." REF: https://support.twilio.com/hc/en-us/articles/223182008-Are-there-special-rules-for-campaigns-involving-health-information- Twilio API docs security details can be found here: https://www.twilio.com/docs/api/security

Twilio Security Guidelines

Please read the security guidelines from Twilio for information regarding Personal Health Information (PHI).

"SMS messages were not designed to support secure communications, and therefore are not HIPPAA-compliant. Short codes should not be used to transmit Personal Health Information (PHI)."

REF: https://support.twilio.com/hc/en-us/articles/223182008-Are-there-special-rules-for-campaigns-involving-health-information-

Twilio API docs security details can be found here: https://www.twilio.com/docs/api/security

For additional company information visit the Twilio website.

How SMS Works...

Once the SMS Manager is configured for an organization, employees must opt in to receive text messages, and verify their phone number to allow text messages from this application. A text message may include a job offer link, but whether or not job offers can be accepted or rejected via the corresponding link on the text message depends on whether Enforce Authentication is turned on in the Contact Manager.

Enforce Authentication options are:

Enforce Authentication ENABLED: the job offer link requires authentication because the link navigates the user to the application’s login home page for user verification. Employees must log into the application to accept or reject a job offer. Employees are presented the option via the text to either Accept or Reject the job offer on the message, after clicking the desired link either Accept or Reject will route the user to the Login page, upon log in the employees can accept or reject the job offer. Important, forwarding the job link to a different mobile device still navigates the user to the application login home page for authentication where upon successful log in the user can review their job offers
Enforce Authentication DISABLED: the job offer link does not require authentication. Employees can accept or reject a job offer using their mobile device. Employees click the desired link on the message, either Accept to fill the job offer, or Reject to refuse the job offer. Upon clicking the desired link the mobile device browser navigates the user to the SMS Notification landing page to confirm the user’s selection. Once confirmed the transaction is complete. On the SMS Notification landing page the user can additionally use the Sign In button to navigate to the application home page to log into the application and review any additional job offers if desired. Important, a job link may be forwarded to another device for further action to be taken without authenticating the user because enforce authentication is disabled.

Additionally, since employees can opt in to receive SMS messages, they can also opt out. Employees can reply STOP to the SMS verification message sent by Twilio at any moment. Doing so will blacklist that employee, and they will not receive text messages, which includes job offers via SMS. To restart SMS, the employee must reply to your company’s Twilio outbound number with the word START to receive text messages again. Please review Twilio Webhook section in this topic.

Twilio Prerequisites for SMS Manager

The SMS Manager requires a Twilio startup account. Twilio is a third party provider, please refer to Twilio’s documentation for startup and setup information available on the Twilio website.

The following information is required to set up Twilio account settings in this application:

Outbound Phone Number (Send From Number)
Secret Key
Account SID
Authorization Token
Configure Webhook in Twilio
Allow Twilio to cross your firewall.

Twilio Webhook

Standard messages include the option for employees to opt out. Employees can opt out of SMS notifications at any time by replying STOP to the SMS message sent by Twilio. When Twilio receives a STOP notification message the employee is blacklisted by Twilio. Twilio will not send SMS notifications to a person on their blacklist which could result in missed job offer links. Setting a webhook allows Twilio to notify this application when an employee has opted out of SMS communications. This application will in turn then remove SMS as a valid contact for that employee and at this point the employee is fully disassociated with SMS.

Simply put, without a webhook the blacklisted employee’s SMS contact displays as verified in this application which appears as if the employee can accept text messages and as such will pass from this application to Twilio - however, the blacklisted employee will not receive any SMS notifications including job offer links from Twilio because they opted out via STOP on the Twilio side.

Establishing a webhook is important to keep the employee in sync between Workforce TeleStaff and Twilio. Without establishing a webhook Workforce TeleStaff, will have no way of knowing when an employee has opted out of SMS notifications. As far as Workforce TeleStaff knows, the employee is SMS Verified and job offers will still be sent but the employee will not receive them. Using a webhook allows Twilio to notify this application when an employee opts out with STOP. Once alerted, this application removes SMS as a contact type from the employee’s contact information. Job offers are sent to the employee using all other contact methods.

To re-establish SMS communications the employee must first remove themselves from the Twilio blacklist. Replying START to Twilio will remove the employee from the blacklist. After replying START, the employee must then reset SMS, verify SMS, and contact their system administrator to test and confirm they can receive SMS notifications.

A sample webhook is: https://yourWFTS.kronos.com/response/twilio

Twilio requires a hook URL to be public facing from your web application in order to send notifications to a third party application.

Important: Twilio cryptographically signs its requests and Workforce TeleStaff will validate that the webhook requests comes from Twilio.

Source: https://www.twilio.com/docs/usage/security

If your request is a POST, Twilio takes all the POST fields, sorts them alphabetically by their name, and concatenates the parameter name and value to the end of the URL (with no delimiter).

Twilio takes the resulting string (the full URL with scheme, port, query string and any POST parameters) and signs it using HMAC-SHA1 and your AuthToken as the key.

Twilio sends this signature in an HTTP header called X-Twilio-Signature.

Workforce TeleStaff verifies the source of the data is from Twilio by reversing this process and takes the data, signs the string with HMAC-SHA1 using the AuthToken as the key. Once the data is base64 encoded and compared, the matching hash codes guarantee that the request has come directly from Twilio, and if it does not then a 403 error will occur.

Web Hook Configuration Note
When configuring the webhook in Twilio be sure to set your url and add -- /response/twilio to your URL path. Webhook configuration in Twilio is usually located in Messaging > A Message Comes In² Sample: A MESSAGE COMES IN: https://kronos.com/response/twilio

Web Hook Configuration Note

When configuring the webhook in Twilio be sure to set your url and add -- /response/twilio to your URL path. Webhook configuration in Twilio is usually located in Messaging > A Message Comes In²

Sample:

A MESSAGE COMES IN: https://kronos.com/response/twilio

Google Firebase Dynamic Link

Optionally - a Google Firebase dynamic link may be used to shorten the URL displayed to the employee via SMS. Dynamic links are used to customize the link with your brand or application name. Customized links provide more meaningful text and look more contextual resulting in higher user engagement and interaction. Google is a third party provider, please refer to Google’s documentation to setup a Firebase Dynamic Link.

A Google account in addition to the following information are required to set up a dynamic link in this application:

Google API Key
Link URL
Domain firebasedynamiclinks.googleapis.com must be whitelisted

SMS Prerequisites

Grant SMS rights to the application administrator roles in System > Authority Levels
Grant Outbound: Submit Verify rights to all user roles that will be using SMS in Setup > Security > Authority. Doing so enables the SMS settings in the Profile contacts section and enables the Test SMS function in the SMS Manager which is required to verify SMS.
Create an account with Twilio.
Configure SMS Manager.