For blocking access to applications such as WhatsApp, either for all users or specific groups, an Application Control policy can be created as shown below:

Firewall Policy:

Application Control Security Profile:

Some application signatures require SSL Deep Inspection.

After switching to a Custom Deep inspection profile, reputable sites such as WhatsApp might start getting allowed:

This can be due to the following option in the Custom Deep Inspection Profile (disabled on the deep-inspection profile):

As WhatsApp, Instagram, Facebook, etc., are reputable sites as per the Rating by FortiGuard, these will be exempted from SSL Inspection and therefore will start getting allowed.

This can be verified for any site that gets allowed unexpectedly after assigning Deep inspection by enabling 'Log SSL exemptions' and checking Logs & Reports -> Security Events -> Logs -> SSL:

By disabling the 'Reputable websites' option in 'Exempt from SSL Inspection', sites will not be exempted, and the security profiles will be applied as expected.

Ensure to check the category as well, along with the addresses in the exempt list. If required, remove the category and just add addresses in the exempt list.

Related article:
Technical Tip: Information on 'Reputable web sites' for SSL inspection